apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53666] The Sybase/FreeTDS driver is broken -- misparses the queries
Date Wed, 02 Jan 2013 21:49:18 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53666

--- Comment #8 from Mikhail T. <mi+apache@aldan.algebra.com> ---
(In reply to comment #7)
> I can believe that it's broken, especially in the parts marked as
> unimplemented.

It is broken beyond belief. The global/driver API has changed since this driver
was written and it was never brought up to date. The changes made to it allowed
it to compile, but not work.

Try it, if you dare :-)

> But why does your patch remove all the untainting code?

No other driver is doing it, is one reason. It is also expensive (applying a
regexp for each query) -- and not necessary, see below. But most importantly,
because it may reject valid (and useful code): depending on application --
apr_dbd stuff can be used for purposes other than a read-only lookup from
inside httpd.

> Can you explain, for example, how a user of mod_authn_dbd executes the
> standard user lookup query without opening the server to all kinds of
> SQL injection attack?

By setting up -- and using -- a special database account whose
access-permissions only allow it to SELECT from certain tables or, better yet,
to only EXEC certain stored procedures. This is the only method guaranteed to
work anyway...

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org


Mime
View raw message