Re: inactivity, and orphaned packages
Actually the more I look at this, the more I think it would be better to log
an entry about unescaped chars to the system log and deny the query. At
least until the patch
(http://cert.uni-stuttgart.de/doc/postgresql/escape/postgresql-escape-2001-0
9-04.diff) has been added to the pgsql mainstream package.
I can return an error message stating why the query was denied. This would
also force the developer to monitor their code as well.
Like the alert says, this would put the responsibility on the developer. The
PAM module should just check for a correctly formed string complete with
security check.
Any thoughts?
----- Original Message -----
From: David D.W. Dowey <david-downey@citlink.net>
To: Leon Breedt <ljb@neverborn.ORG>
Cc: <debian-devel@lists.debian.org>
Sent: Wednesday, January 09, 2002 3:14 AM
Subject: Re: inactivity, and orphaned packages
> This problem looks to be in the libpq itself, not the pam library module
> itself.
>
> I could probably extend the module to include the escape check itself.
> Shouldn't hurt any queries adding that check before making submissions,
> whether this patch has been added or not.
>
> Simple check for formatting should do it.
>
> Want to discuss this fix privately or on the list? Or do you just want me
to
> take the package and fix on my own?
>
> Also, who would be sponsering my package once I took this over? Would you
be
> doing it or do I need to make a request for a different sponser?
>
> Either is fine for me. All depends on _your_ time allowance.
>
> > There is a security problem with the way it accesses the database, in
that
> > single quotes are not escaped.
> >
> > A discussion of the problem, and a suggested fix, is here:
> >
> > http://cert.uni-stuttgart.de/advisories/apache_auth.php
> >
> > I myself don't have the time to look into this...
> >
> > Regards,
> > Leon.
>
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Reply to: