[Zope] Bug in PostGre adapter for Zope, for type string in arguments of ZSQL Methods (?)
Jim Penny
jpenny@universal-fasteners.com
Thu, 23 Aug 2001 19:06:02 -0400
On Thu, Aug 23, 2001 at 06:51:36PM -0400, Tom Jenkins wrote:
> Andreas Heckel wrote:
> >>I have tried some another ways to access the query:
> >>select * from table_name where table_field2='<dtml-sqlvar> argument2
> >>type=string>';
> >>...
> >>I need the Help. Every comments can help me. Thanks.
> >>
> >
> >select * from table_name where table_field2='<dtml-var argument2>'
> >
> >or
> >
> >select * from table_name where table_field2='<dtml-var
> >"_.str(argument2)">'
> >
>
> ACK! no, no, no don't use <dtml-var> in a sql method, use <dtml-sqlvar>.
> What if argument2 was set to "43;drop database mydatabase" ? yep
> you'd get a select but your database would be erased. <dtml-sqlvar>
> does checks to keep this type of attack from happening
Actually, DO do it, but only for testing purposes.
The reason I want this done is that it should not depend in any way
on any "string" method.
Tom is 100% right that this is a gaping security problem and should
never go into production code. Make sure you do it in a folder
that you have marked for deletion, and delete it after testing.
(background: some people are reporting problems with a particular
database adapter, ZPoPyDA, and others (who have never seen such a
problem) are trying to diagnose. Is it version dependent? Does
the adapter do the right thing in the simplest cases? Which
combinations of OS, Zope, Python, PoPy, and ZPoPyDA are failing?
Is it only for <dtml-sqlvar ... type=string>? ...)
>
> --
> Tom Jenkins
> devIS - Development Infostructure
> http://www.devis.com
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>