Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #105726
| Path | csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail |
|---|---|
| From | Chris Angelico <rosuav@gmail.com> |
| Newsgroups | comp.lang.python |
| Subject | Re: WP-A: A New URL Shortener |
| Date | Sat, 26 Mar 2016 14:46:38 +1100 |
| Lines | 45 |
| Message-ID | <mailman.18.1458964008.28225.python-list@python.org> (permalink) |
| References | <1537bd9e261.12a0e5b4a204345.4468160629979098801@vmesel.com> <CAGq7KhregQabRkwUg6EQbqqy97FaYrC7WuWuSdO-=mhg0GSneg@mail.gmail.com> <500E8DF1-DCAC-4923-BD94-06DA1716484A@vmesel.com> <mailman.291.1458254120.12893.python-list@python.org> <1964524.jFVgOtWIx9@PointedEars.de> <mailman.298.1458257054.12893.python-list@python.org> <2334208.C0ktZ5B2k1@PointedEars.de> <mailman.392.1458396992.12893.python-list@python.org> <4500052.tJGngFWhWt@PointedEars.de> <mailman.13.1458942513.28225.python-list@python.org> <7663219.M9yg8PEDtW@PointedEars.de> <mailman.14.1458947054.28225.python-list@python.org> <2279730.a2M0GptDFN@PointedEars.de> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8 |
| Content-Transfer-Encoding | quoted-printable |
| X-Trace | news.uni-berlin.de Rk+zIV5je1yqxxRfYWKALABHogRqLC6cl4cTkkjWv19g== |
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.001 |
| X-Spam-Evidence | '*H*': 1.00; '*S*': 0.00; 'received:209.85.223': 0.03; 'resulting': 0.04; 'escape': 0.07; 'interpreted': 0.07; 'cc:addr:python-list': 0.09; 'indicates': 0.09; 'literal': 0.09; 'mysql.': 0.09; 'python': 0.10; "--'": 0.16; '2016': 0.16; 'afterwards.': 0.16; 'bugs.': 0.16; 'double-quote': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'sqlite3': 0.16; 'subject:URL': 0.16; 'wrote:': 0.16; 'string': 0.17; 'duplicate': 0.18; 'mechanism': 0.18; 'input': 0.18; 'library': 0.20; 'developer': 0.20; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'assuming': 0.22; 'code,': 0.23; 'insert': 0.23; 'sat,': 0.23; 'header:In-Reply-To:1': 0.24; 'module': 0.25; 'least': 0.27; 'message-id:@mail.gmail.com': 0.27; "skip:' 10": 0.28; 'values': 0.28; 'fine': 0.28; 'escaped': 0.29; 'finds': 0.29; 'if,': 0.29; 'code': 0.30; 'query': 0.30; 'rules': 0.31; 'table': 0.32; 'correctly': 0.34; 'that,': 0.34; 'received:google.com': 0.35; 'could': 0.35; 'something': 0.35; 'but': 0.36; 'should': 0.36; 'created': 0.36; 'received:209.85': 0.36; 'possible': 0.36; 'pm,': 0.36; 'subject:: ': 0.37; 'received:209': 0.38; 'drop': 0.38; 'data': 0.39; 'does': 0.39; 'subject:-': 0.39; 'still': 0.40; 'thomas': 0.63; 'mar': 0.65; 'accessed': 0.66; 'binding': 0.66; '26,': 0.72; '2:30': 0.84; 'chrisa': 0.84; 'escaping': 0.84; 'vulnerable': 0.84; 'to:none': 0.91 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-transfer-encoding; bh=7M5nRczS3Z63ElIXl2AEt75u1Sd+gBIQJMN+Nb503qA=; b=OAucioKbvmLioJ4TaUV3q8t/6WP5coLMVbBF2LEAotVFtnzLobpOE6o/JlTzK9gbdI 75eS5N+pO/qs3CoL8Swz528k9M8nDuL0E3FewhvMeWXUzXey8g+AVobq2SVvPafs4CzI kjKFqErnJIwYza1b6bA+LKZwSA5+hQ2eH6OLmVw3JYxsFFtNlkidQGtmQ1KTb2888qAf ESeBS1c3DeLuPFAv2Yd+XqqSKoNiJIqdSp5u16XgrFV0eUbY2rx7ySJZi28C3gxRtbcJ 83VVjHLuPDkve6EorYZ/QHOE7+DQomx342UtrICtObKxImgBYjAIfQPB+HIQdi3s/EOp 6iwQ== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:cc:content-transfer-encoding; bh=7M5nRczS3Z63ElIXl2AEt75u1Sd+gBIQJMN+Nb503qA=; b=KOe/VljRKXEEZNE1+S/i3s6Nc3o8jUBIXfBFzro08X9ICZN7wrD28Py9uEkZSbZq/M XinwzMEXDb+hVi59UpGkUYRrehLn0+CoJ/bG0mA2VWUTEOU9hHI+mIyyL9p5y1CpZup2 +4CDEaO/oo3xHDaNcNZ2oifKiFTh8C0lmkmoYvYsN5Ggl/JfGsIME+2cx8wYmGrKH7N7 8SqXOyYFVUZnrfbd/orGNTeGN1tSl+KsTRs33cXHKWmqEbhgLOyXFuFMFAC0eyQuJiZk AG5d3mtzTzKGURoB1VrC8BAYo5IT0i8q+Fy+IYv3mTpndLF5y8ISlu+b19lEVaM7EkWc 6rOQ== |
| X-Gm-Message-State | AD7BkJLXsKYuwHYxqh8sNCqzZ/E0hGYYK31aKEFbYnFweJaA0DLPkB/6ekK4u30t+rlFO9A0T7308qp0/TvDlw== |
| X-Received | by 10.107.128.104 with SMTP id b101mr16555626iod.31.1458963999089; Fri, 25 Mar 2016 20:46:39 -0700 (PDT) |
| In-Reply-To | <2279730.a2M0GptDFN@PointedEars.de> |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.21 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Xref | csiph.com comp.lang.python:105726 |
Show key headers only | View raw
On Sat, Mar 26, 2016 at 2:30 PM, Thomas 'PointedEars' Lahn
<PointedEars@web.de> wrote:
> Since nothing indicates the used module and accessed DBMS (only that, if it
> is Python code, the module cannot be sqlite3 as that does not support ā%sā),
> then this code can, if the module uses an escaping mechanism, still be
> vulnerable to SQL injection. For example, I could input something to the
> effect of
>
> #---------------------------------------------------------------------------
> data = r'\"); DROP TABLE some_table; --'
> #---------------------------------------------------------------------------
>
> if, for example, the string escaping mechanism in the module would simply
> duplicate any double-quote it finds to escape it in the string literal that
> it created (as is possible in MySQL and PostgreSQL), and still inject my
> code because the resulting query would be
>
> insert into some_table (some_column) values ("\"");
> DROP TABLE some_table;
> --")
>
> which is at least syntactically valid MySQL code, but from the perspective
> of the so-attacked it is still not fine as the table would be gone
> afterwards.
In other words, you are assuming that the string escaping *in the
module* is buggy. Well, duh. This is exactly what I said about not
having stupid bugs. The developer of a MySQL binding library should
know the *entire* rules for escaping, and, duh, that's going to
include escaping the backslash. So the escaped query would be
something like:
insert into some_table (some_column) values ("\\"");
DROP TABLE some_table;
--")
which would be interpreted correctly by MySQL.
ChrisA
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Re: WP-A: A New URL Shortener Daniel Wilcox <dmw@yubasolutions.com> - 2016-03-17 15:34 -0700
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-18 00:17 +0100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-19 15:00 +0100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-25 22:28 +0100
Re: WP-A: A New URL Shortener Chris Angelico <rosuav@gmail.com> - 2016-03-26 08:48 +1100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-25 23:25 +0100
Re: WP-A: A New URL Shortener Chris Angelico <rosuav@gmail.com> - 2016-03-26 10:04 +1100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-26 04:30 +0100
Re: WP-A: A New URL Shortener Chris Angelico <rosuav@gmail.com> - 2016-03-26 14:46 +1100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-04-06 20:42 +0200
csiph-web