Re: inactivity, and orphaned packages
On Wed, Jan 09, 2002 at 04:01:14AM -0800, David D.W. Dowey wrote:
> Actually the more I look at this, the more I think it would be better to log
> an entry about unescaped chars to the system log and deny the query. At
> least until the patch
> (http://cert.uni-stuttgart.de/doc/postgresql/escape/postgresql-escape-2001-0
> 9-04.diff) has been added to the pgsql mainstream package.
>
> I can return an error message stating why the query was denied. This would
> also force the developer to monitor their code as well.
>
> Like the alert says, this would put the responsibility on the developer. The
> PAM module should just check for a correctly formed string complete with
> security check.
>
> Any thoughts?
I like it, define a set of allowed SQL characters (this must be
in an ANSI standard doc somewhere) and deny everything else, that way you're always
covered for any suspicious characters..
Regarding the sponsoring, I don't have access to a Debian machine at the
moment, and I don't want to put my private key on another machine, so it may
be a problem unless Debian works in FreeBSD's binary emulation mode :)
Lets take further discussion off the list?
Regards,
Leon.
Reply to: