From user-return-18387-apmail-cassandra-user-archive=cassandra.apache.org@cassandra.apache.org Sun Jul 3 20:23:40 2011 Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 153B04B4B for ; Sun, 3 Jul 2011 20:23:40 +0000 (UTC) Received: (qmail 36255 invoked by uid 500); 3 Jul 2011 20:23:37 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 36195 invoked by uid 500); 3 Jul 2011 20:23:37 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 36187 invoked by uid 99); 3 Jul 2011 20:23:36 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jul 2011 20:23:36 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dnallsopp@taz.qinetiq.com designates 192.102.214.28 as permitted sender) Received: from [192.102.214.28] (HELO burn.qinetiq.com) (192.102.214.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jul 2011 20:23:31 +0000 Received: (qmail 26000 invoked by uid 1002); 3 Jul 2011 20:23:09 -0000 Received: from 10.0.5.56 by burn (envelope-from , uid 64011) with qmail-scanner-1.24 (clamdscan: devel-clamav-0.97-141-g618f62d/13266. spamassassin: 3.2.5. Clear:RC:1(10.0.5.56):. Processed in 0.019233 secs); 03 Jul 2011 20:23:09 -0000 X-GATEWAY: Tweed Received: from unknown (HELO Frome-1.uncdmz.qinetiq.com) ([10.0.5.56]) (envelope-sender ) by burn.qinetiq.com (qmail-ldap-1.03) with SMTP for ; 3 Jul 2011 20:23:09 -0000 Received: from itchen.qinetiq.com (Not Verified[10.0.6.13]) by Frome-1.uncdmz.qinetiq.com with MailMarshal (v6,4,6,5922) id ; Sun, 03 Jul 2011 21:23:08 +0100 Received: from www-data by itchen.qinetiq.com@ with local (Exim 4.63) (envelope-from ) id 1QdTC8-0002hT-Rg for user@cassandra.apache.org; Sun, 03 Jul 2011 21:23:08 +0100 Received: from 87.113.214.13@ ([87.113.214.13]) by itchen.qinetiq.com@ (IMP) with HTTP for ; Sun, 03 Jul 2011 21:23:08 +0100 Message-ID: <1309724588.4e10cfacc4ddb@itchen.qinetiq.com> Date: Sun, 03 Jul 2011 21:23:08 +0100 From: dnallsopp@taz.qinetiq.com To: user@cassandra.apache.org Subject: Re: CQL injection attacks? References: <1309374771.4e0b7933ac960@itchen.qinetiq.com> <1309630640.4e0f60b01d222@itchen.qinetiq.com> <1309651952.2053.51.camel@erebus.lan> In-Reply-To: <1309651952.2053.51.camel@erebus.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.6 X-Originating-IP: 87.113.214.13 Quoting Eric Evans : > On Sat, 2011-07-02 at 19:17 +0100, dnallsopp@taz.qinetiq.com wrote: > > Just to illustrate; the typical injection pattern is: > > select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users'; > > No, each CQL query must contain exactly one statement, so this sort of > attack would not work. Excellent, that changes the picture enormously! I guess it might be worth adding this fact to the preamble of the documentation? [...] > TTBMK, there are currently no drivers with bugs that egregious, so make > use of the driver's parameter substitution, sanitize your input, and you > shouldn't have anything to worry about (there is almost certainly less > risk of an injection attack than with SQL). Thanks very much, David. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.