Return-Path: <phamlen@mail.com>
Mailing-List: contact torque-user-help@db.apache.org; run by ezmlm
Delivered-To: mailing list torque-user@db.apache.org
Received: (qmail 11522 invoked from network); 27 May 2003 20:57:58 -0000
Received: from unknown (HELO natowa.tfanet.org) (63.122.113.131)
  by daedalus.apache.org with SMTP; 27 May 2003 20:57:58 -0000
Received: from natmail.tfanet.org ([192.168.36.40]) by natowa.tfanet.org with
 Microsoft SMTPSVC(5.0.2195.5600);
	 Tue, 27 May 2003 16:57:54 -0400
thread-index: AcMkkqRNDcf11EuvQxam14W+9FfJQg==
Received: from [192.168.36.92] ([192.168.36.92]) by natmail.tfanet.org with
 Microsoft SMTPSVC(5.0.2195.5576); Tue, 27 May 2003 16:57:53 -0400
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Subject: Re: security concern
From: "Peter S. Hamlen" <phamlen@mail.com>
To: "Turbine Torque Users List" <torque-user@db.apache.org>
In-Reply-To: <01a401c32475$41ad5d00$a77ba8c0@Apollo>
References: <01a401c32475$41ad5d00$a77ba8c0@Apollo>
Content-Type: multipart/alternative;
	boundary="=-CDhYMsQCl1Uygw6/v7Ir"
X-Mailer: Ximian Evolution 1.0.8 
Date: 27 May 2003 17:00:12 -0400
Message-ID: <1054069212.1212.5865.camel@chimayblue.tfanet.org>
MIME-Version: 1.0
X-OriginalArrivalTime: 27 May 2003 20:57:53.0673 (UTC)
 FILETIME=[A44B4F90:01C32492]
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

--=-CDhYMsQCl1Uygw6/v7Ir
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: 7bit

I would be worried about someone being able to execute the superclass
function.  For instance, assuming that $foo is a TorqueObject, I believe
I should be able to do something like:

$foo.class().superClass().newInstance().getPeer().executeStatement("delete * from very_important_table;");

(I can't test it over here, but I think something like this is
possible.)

My personal suggestion for this particular issue is to restrict access
at the database level.  Whatever process is running the velocity
templates should log into the database and be able to only read/update
the appropriate tables.  This also solves the associated problems of
people "erasing" existing data by calling the save() method after
setting all the fields to empty.

-Peter


On Tue, 2003-05-27 at 13:25, Will Glass-Husain wrote:

    Hi,
    
    I have a web-based system that allows outside users to create accounts and upload Velocity templates.  These templates, among other things, can display records from the database using Torque objects.
    
    I've recently realized this presents a security hazard.  If a user gets access to the Peer class using the getPeer method, they can execute arbitrary SQL code in my database with the   executeStatement method.
    
    What's the easiest way to prevent this?  I've overridden getPeer to return null.  Is this sufficient to prevent the execution of arbitrary SQL code by untrusted template designers who have a Torque object?
    
    Thanks for any advice, 
    
    WILL
    
    
    

--=-CDhYMsQCl1Uygw6/v7Ir--