Janne Jalkanen wrote:
Wouldn't a simple solution to that be to filter for URLs and have the
alias declaration fail upon finding any? Similarly, any XML/HTML markup?
E.g., if the alias string contains "<", ">", "&" or "://" we kill it.
Nope. Only whitelisting works (that is, approve only [A-Za-z0-9_.] or
something like that (well, the internationalized version with \{p}).
And not necessarily even then - there are SQL injection attacks which
need no quote escapes.
Funny, I've been in a tech meeting for the last couple of days and this
subject came up -- where can I find out how SQL injection attacks could
be propagated within a wiki, in particularly JSPWiki? or JSPs in general?
I'm not currently using a SQL-based backend, but if I were how would
this get passed through JSPWiki? It seems easy enough to filter out.
In reading about this I didn't see how it could happen, i.e., how this
could squeak through a JSP-based system even if it did have a SQL backend.
If you have a handy reference it'd be much appreciated. Thanks!
Murray
----
Wikipedia: http://en.wikipedia.org/wiki/SQL_injection
by example: http://www.unixwiz.net/techtips/sql-injection.html
(noting the section 'Sanitize the input' sounds like your advice)
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
