Am 10.03.2012 19:52, schrieb Michael Bell: > Am 03.03.2012 21:18, schrieb Michael Bell: > >> 1. Every string in the database is a string without escape characters. >> "...\,..." is a backslash and comma. > > Just a question: how about a string which contains % or _? Do we protect > SQL's like against such injections?
We only use real LIKE operations in two situations: to list all configurations and to search for certificates. The first thing is only a hack. According to the code (OpenXPKI::Server::API::Object) we do not expect % as a regular part of email, subject and issuer. I think this is an acceptable limitation. Additionally _ is not handled in any special way. So "c_de_o_ps" matches "c=de,o=ps", "code oops" and "c_de_o_ps" ;) This is perhaps funny but I don't see a real danger today. We have only too many matches (which is a potential information leak). Does somebody think this is a risk? If we think so, then we have two options: 1. Enable the escape mode of SQL LIKE and check all values very carefully. 2. Distinct between like and equal (and relax about certificate search). Any comments? Best regards Michael -- ___________________________________________________________________ Michael Bell Humboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 70143 ZE Computer- und Medienservice Fax: +49 (0)30-2093 70135 Unter den Linden 6 [email protected] D-10099 Berlin ___________________________________________________________________ PGP Fingerprint: 09E4 3D29 4156 2774 0F2C C643 D8BD 1918 2030 5AAB
smime.p7s
Description: S/MIME Kryptografische Unterschrift
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ OpenXPKI-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-devel
