Path: csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail From: Chris Angelico Newsgroups: comp.lang.python Subject: Re: WP-A: A New URL Shortener Date: Sat, 26 Mar 2016 14:46:38 +1100 Lines: 45 Message-ID: References: <1537bd9e261.12a0e5b4a204345.4468160629979098801@vmesel.com> <500E8DF1-DCAC-4923-BD94-06DA1716484A@vmesel.com> <1964524.jFVgOtWIx9@PointedEars.de> <2334208.C0ktZ5B2k1@PointedEars.de> <4500052.tJGngFWhWt@PointedEars.de> <7663219.M9yg8PEDtW@PointedEars.de> <2279730.a2M0GptDFN@PointedEars.de> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Trace: news.uni-berlin.de Rk+zIV5je1yqxxRfYWKALABHogRqLC6cl4cTkkjWv19g== Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.001 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'received:209.85.223': 0.03; 'resulting': 0.04; 'escape': 0.07; 'interpreted': 0.07; 'cc:addr:python-list': 0.09; 'indicates': 0.09; 'literal': 0.09; 'mysql.': 0.09; 'python': 0.10; "--'": 0.16; '2016': 0.16; 'afterwards.': 0.16; 'bugs.': 0.16; 'double-quote': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'sqlite3': 0.16; 'subject:URL': 0.16; 'wrote:': 0.16; 'string': 0.17; 'duplicate': 0.18; 'mechanism': 0.18; 'input': 0.18; 'library': 0.20; 'developer': 0.20; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'assuming': 0.22; 'code,': 0.23; 'insert': 0.23; 'sat,': 0.23; 'header:In-Reply-To:1': 0.24; 'module': 0.25; 'least': 0.27; 'message-id:@mail.gmail.com': 0.27; "skip:' 10": 0.28; 'values': 0.28; 'fine': 0.28; 'escaped': 0.29; 'finds': 0.29; 'if,': 0.29; 'code': 0.30; 'query': 0.30; 'rules': 0.31; 'table': 0.32; 'correctly': 0.34; 'that,': 0.34; 'received:google.com': 0.35; 'could': 0.35; 'something': 0.35; 'but': 0.36; 'should': 0.36; 'created': 0.36; 'received:209.85': 0.36; 'possible': 0.36; 'pm,': 0.36; 'subject:: ': 0.37; 'received:209': 0.38; 'drop': 0.38; 'data': 0.39; 'does': 0.39; 'subject:-': 0.39; 'still': 0.40; 'thomas': 0.63; 'mar': 0.65; 'accessed': 0.66; 'binding': 0.66; '26,': 0.72; '2:30': 0.84; 'chrisa': 0.84; 'escaping': 0.84; 'vulnerable': 0.84; 'to:none': 0.91 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-transfer-encoding; bh=7M5nRczS3Z63ElIXl2AEt75u1Sd+gBIQJMN+Nb503qA=; b=OAucioKbvmLioJ4TaUV3q8t/6WP5coLMVbBF2LEAotVFtnzLobpOE6o/JlTzK9gbdI 75eS5N+pO/qs3CoL8Swz528k9M8nDuL0E3FewhvMeWXUzXey8g+AVobq2SVvPafs4CzI kjKFqErnJIwYza1b6bA+LKZwSA5+hQ2eH6OLmVw3JYxsFFtNlkidQGtmQ1KTb2888qAf ESeBS1c3DeLuPFAv2Yd+XqqSKoNiJIqdSp5u16XgrFV0eUbY2rx7ySJZi28C3gxRtbcJ 83VVjHLuPDkve6EorYZ/QHOE7+DQomx342UtrICtObKxImgBYjAIfQPB+HIQdi3s/EOp 6iwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:cc:content-transfer-encoding; bh=7M5nRczS3Z63ElIXl2AEt75u1Sd+gBIQJMN+Nb503qA=; b=KOe/VljRKXEEZNE1+S/i3s6Nc3o8jUBIXfBFzro08X9ICZN7wrD28Py9uEkZSbZq/M XinwzMEXDb+hVi59UpGkUYRrehLn0+CoJ/bG0mA2VWUTEOU9hHI+mIyyL9p5y1CpZup2 +4CDEaO/oo3xHDaNcNZ2oifKiFTh8C0lmkmoYvYsN5Ggl/JfGsIME+2cx8wYmGrKH7N7 8SqXOyYFVUZnrfbd/orGNTeGN1tSl+KsTRs33cXHKWmqEbhgLOyXFuFMFAC0eyQuJiZk AG5d3mtzTzKGURoB1VrC8BAYo5IT0i8q+Fy+IYv3mTpndLF5y8ISlu+b19lEVaM7EkWc 6rOQ== X-Gm-Message-State: AD7BkJLXsKYuwHYxqh8sNCqzZ/E0hGYYK31aKEFbYnFweJaA0DLPkB/6ekK4u30t+rlFO9A0T7308qp0/TvDlw== X-Received: by 10.107.128.104 with SMTP id b101mr16555626iod.31.1458963999089; Fri, 25 Mar 2016 20:46:39 -0700 (PDT) In-Reply-To: <2279730.a2M0GptDFN@PointedEars.de> X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com comp.lang.python:105726 On Sat, Mar 26, 2016 at 2:30 PM, Thomas 'PointedEars' Lahn wrote: > Since nothing indicates the used module and accessed DBMS (only that, if = it > is Python code, the module cannot be sqlite3 as that does not support =E2= =80=9C%s=E2=80=9D), > then this code can, if the module uses an escaping mechanism, still be > vulnerable to SQL injection. For example, I could input something to the > effect of > > #------------------------------------------------------------------------= --- > data =3D r'\"); DROP TABLE some_table; --' > #------------------------------------------------------------------------= --- > > if, for example, the string escaping mechanism in the module would simply > duplicate any double-quote it finds to escape it in the string literal th= at > it created (as is possible in MySQL and PostgreSQL), and still inject my > code because the resulting query would be > > insert into some_table (some_column) values ("\""); > DROP TABLE some_table; > --") > > which is at least syntactically valid MySQL code, but from the perspectiv= e > of the so-attacked it is still not fine as the table would be gone > afterwards. In other words, you are assuming that the string escaping *in the module* is buggy. Well, duh. This is exactly what I said about not having stupid bugs. The developer of a MySQL binding library should know the *entire* rules for escaping, and, duh, that's going to include escaping the backslash. So the escaped query would be something like: insert into some_table (some_column) values ("\\""); DROP TABLE some_table; --") which would be interpreted correctly by MySQL. ChrisA