apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Darroch <chr...@pearsoncmg.com>
Subject Re: current dbd initiatives
Date Sat, 10 Jun 2006 02:28:39 GMT
Bojan Smojver wrote:

> Quoting Chris Darroch <chrisd@pearsoncmg.com>:
> 
>>    But, suppose someone thinks they can do this safely:
>>
>> sql = apr_pstrdup(p, "SELECT foo FROM bar WHERE baz = '",
>>                   apr_dbd_escape(user_input), "'");
>> apr_dbd_prepare(driver, p, handle, sql, NULL, &stmt);
>>
>>    If user_input happens to contain a %s then subsequent p[v]select()
>> calls will expect an extra parameter to be supplied, because
>> our drivers parse for % in the queries but don't recognize when
>> it occurs within single-quotes.  Now, usually this would lead to
>> a crash, I'd think, in p[v]select().  Not a security hole, but
>> certainly unexpected behaviour.
> 
> Actually, given that the end result would be quoted, this would  
> eventually (after APU DBD substitution) be interpreted as literal ?,  
> $1, $2 etc. inside user input, depending on a database backend (i.e.  
> it would be no parameter at all). Most likely, the user would get  
> records where baz is exactly ?, $1, $2 etc. inside other text. Very  
> confusing indeed.

   Just as a note, this can crash the Oracle driver, at least,
if you prepare a query like "INSERT INTO foo (bar) VALUES ('%s')"
and then use apr_dbd_pvquery() with no arguments (because you
weren't expecting that %s in the SQL-escaped string value).

   This is because the driver iterates up to the previously
calculated number of required arguments, and if these aren't
available in the va_list, then oops.  This is, I believe,
consistent with the use of va_arg() in places like apr_snprintf.c.

   (I'm actually a little surprised by the use of va_arg() in
the other drivers and also in apr_brigade.c, where it seems like a
NULL return is expected after iterating past the last argument.
I didn't know va_arg() would do that ... the Linux man page says
"random errors will occur" after the last argument.  Does anyone
know which is correct?)

Chris.

-- 
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B


Mime
View raw message