db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter S. Hamlen" <pham...@mail.com>
Subject Re: security concern
Date Tue, 27 May 2003 21:00:12 GMT
I would be worried about someone being able to execute the superclass
function.  For instance, assuming that $foo is a TorqueObject, I believe
I should be able to do something like:

$foo.class().superClass().newInstance().getPeer().executeStatement("delete * from very_important_table;");

(I can't test it over here, but I think something like this is
possible.)

My personal suggestion for this particular issue is to restrict access
at the database level.  Whatever process is running the velocity
templates should log into the database and be able to only read/update
the appropriate tables.  This also solves the associated problems of
people "erasing" existing data by calling the save() method after
setting all the fields to empty.

-Peter


On Tue, 2003-05-27 at 13:25, Will Glass-Husain wrote:

    Hi,
    
    I have a web-based system that allows outside users to create accounts and upload Velocity
templates.  These templates, among other things, can display records from the database using
Torque objects.
    
    I've recently realized this presents a security hazard.  If a user gets access to the
Peer class using the getPeer method, they can execute arbitrary SQL code in my database with
the   executeStatement method.
    
    What's the easiest way to prevent this?  I've overridden getPeer to return null.  Is this
sufficient to prevent the execution of arbitrary SQL code by untrusted template designers
who have a Torque object?
    
    Thanks for any advice, 
    
    WILL
    
    
    

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message