On Sun, 12 Dec 2021 17:41:05 -0600, John McKown wrote:
>On Sunday, December 12, 2021, Andrew Rowley wrote:
>>
>> *My understanding* is that the vulnerability can be exploited if you log
>> data that comes from untrusted sources, e.g. user input like URLs, ...
>>
>> Conceptually it seems similar to SQL injection attacks. Among other
>> things, it highlights the danger of working with data from untrusted
>> sources including http requests, login attempts, etc.
>>
>... I also, for SQL, use
>"compiled" expressions and then "execute" those expressions passing the
>data as parameters ( after validation). This is a simple way, in most SQL,
>to avoid injection attacks.
>
A design target should be interfaces which require less such validation by
the caller. For example, I have used CMS RXSQL where parameter values
were passed as names of host variables, not quoted strings.
or, in Rexx:
PARM = ARG( 1 )
address LINKMVS 'WOMBA PARM'
WOMBAT must validate its PARM; as the caller I needn't do so ini Rexx. Or:
address SYSCALL 'open (path)'
The value of path, fetched by IRXEXCOM, will be passed unparsed as
argv(1) to open().
Or: address ISREDIT 'LINE AFTER 42 = (STRINIG)'
rather than:
address ISREDIT 'LINE AFTER 42 =' STRINIG
Yes, this burdens interface code with the need to access host variables
in each supported language, or each language with the need to manipulate
a common variable pool.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
