cassandra-client-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Evans <eev...@rackspace.com>
Subject Re: PHP Cassandra CQL driver
Date Tue, 29 Mar 2011 22:00:50 GMT
On Tue, 2011-03-29 at 12:06 +0100, Nick Telford wrote:
> With regards to injection, I saw someone state "it's a red herring as
> it's a client concern". While this may be true, experience teaches us 
> that pushing the responsibility to the client is dangerous due to the 
> many implementations. At the very least, the possibility of injection 
> attacks should be *considered*.

No, it's basically the point of this exercise to push as much as
possible server-side.

> My suggestion as a means of heavily mitigating the damage of these
> attacks would be to only permit a single query at a time (i.e. remove
> the ';' token). 

This is effectively the case.  The parser is run exactly once for each
request and is only capable of parsing exactly one statement (no less,
no more).  Terminating a query with ';' is allowed, but has no effect on
this.

> Only trusted, administrative client applications (e.g. a GUI or
> console) should really permit issuing multiple queries like this. Such
> clients could decompose the queries in to separate queries and issue
> them individually.

Easier still, because nothing has that ability.  There is a very basic
interactive interpreter bundled with the Python driver, it splits on ';'
and issues individual requests.

-- 
Eric Evans
eevans@rackspace.com


Mime
View raw message