----- Original Message ----- From: "Simon Kenyon" <[EMAIL PROTECTED]>
> On Wednesday 27 April 2005 05:21, David Shay wrote: > > As discussed on IRC last night, here is a patch to provide a generic SQL > > service through the myth protocol. This will be helpful to external <snip> > what security is associated with this? > is it a mechanism for injecting malicious SQL into the db? Well, I had considered this. I could easily modify this so that it would force a "SELECT" up front. Of course, carefully crafted subqueries could bypass that as well, so it wouldn't buy you a whole lot. Also, any frontend already has a file on it somewhere that identifies the mythtv sql userid and password. Also, I would hope that in general you would not have your mythtv protocol port exposed to the internet anyway. You can already do enough nasty things with the standard protocol. I could easily write something to query all of the recordings and then delete all of them, all without any authentication. If security is a concern, I don't believe that this specific protocol really adds much danger to it. It's probably better to deal with that issue by adding some layer of authentication into the overall protocol. My intention with this was to first create a general protocol extension so that any functionality that the frontend does today could be replicated by a non-myth pseudo-frontend. If specific things turned out to be useful, then I would create a new protocol command to handle these specific instances -- I discussed that with Isaac on IRC. _______________________________________________ mythtv-dev mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-dev
