Sorry, too, for the delay in repsonse....

> On 11 Feb 2018, at 16:49 , Peter Rabbitson <rabbit+d...@rabbit.us> wrote:
> Yes, this is a legitimate problem, thank you for finding and reporting it! ( 
> although in the future please consider contacting an author directly in 
> private when a potential vulnerability has been identified - doing so 
> publicly is somewhat suboptimal )

I know, I was not sure how to report or ask about this. In this case I didn't 
see it like a bug/security problem in DBIx::Class itself - it's a) me passing 
on arbitrary data structures from users without checking and b) SQL::Abstract 
doing unexpected things. I thought if I had been aware I'd have taken more 
care, and that way more people would be aware, too. But I'll report things like 
that privately in the future. 

> A solid fix for all of the above ( and potentially similar issues ) would be 
> to augment the already-existing injection guard [2] to explicitly look for
> qr/ \b (?: SELECT | UPDATE | DELETE | INSERT ) \b /ix

Great, thanks!

> I suspect this should go into the default set shipped with SQL::Abstract [3] 
> , but have not yet done any testing / analysis of how much impact this would 
> have.
> As a first step I'd recommend you contact the mojolicious people with this 
> workaround, as they currently seem to be the primary driver behind SQLA 
> things.

Will do, at the moment work's not leaving me much time (as you might've guessed 
from my response time), but there's some light on the horizon.

List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class
IRC: irc.perl.org#dbix-class
SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/
Searchable Archive: http://www.grokbase.com/group/dbix-class@lists.scsys.co.uk

Reply via email to