On 13.12.21 14:03, Lukas Tribus wrote:
On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic <al-hapr...@none.at> wrote:
1. Why is a input from out site of the application passed unchecked to the 
logging library!

Because you can't predict the future.

When you know that your backend is SQL, you escape what's necessary to
avoid SQL injection (or use prepared statements) before sending
commands against the database.
When you know your output is HTML, you escape HTML special characters,
so untrusted inputs can't inject HTML tags.

That's what input validation means.

How exactly do you verify and sanitise inputs to protect against an
unknown vulnerability with an unknown syntax in a logging library that
is supposed to handle all strings just fine? You don't, it doesn't
work this way, and that's not what input validation means.

Well I go the other way around.

The application must know what data are allowed, verify the input and if the 
input is not valid discard it.
In any case, the user input should never send directly to the database!
There are a lot of options in many different languages to quote or prepare some 
Queries *before* they send to
the database.

I know that this is a lot of work because I do this in almost every of my 
programs but security and error
handling is a must in currently applications and I would say at least 1/3th of 
an appliation.

We see this in haproxy quite good as there are a huge mount of checks for null, 
expected types and a lot other
checks that's why haproxy is so robust and secure, imho.

But I think this is now off topic, let's mail off-list further, okay?

Lukas

Regards
Alex

Reply via email to