manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <>
Subject [jira] Created: (CONNECTORS-128) ManifoldCF should be armored against any possibility of SQL injection
Date Mon, 13 Dec 2010 23:16:02 GMT
ManifoldCF should be armored against any possibility of SQL injection

                 Key: CONNECTORS-128
             Project: ManifoldCF
          Issue Type: Bug
          Components: Documentum connector, FileNet connector, Framework agents process, Framework
            Reporter: Karl Wright

ManifoldCF uses SQL.  Quoted string fields in SQL might be unsafe because it might be possible
to override the intended statement with stuff from the parameter.  A method in the SQL abstraction
layer called quoteSQLString() is supposed to safely quote a SQL string to avoid any possibility
of this occurring, but PostgreSQL is configurable in how it handles quotes, and if the wrong
setting is selected, quoteSQLString() becomes vulnerable.

Rather than make quoteSQLString() work properly, or using it solely in conjunction with constant
values (as is currently the case), it has been decided that the very existence of this method
is a security risk, and thus the method and all uses must be removed.  The reasoning behind
this is that quoting of strings is inherently unsafe because quoting methods cannot be made
to be correct.  (This claim is not accepted by everyone, for what it is worth).

This is unfortunate because several connectors (Documentum and FileNet specifically) use APIs
that require the use of SQL-like languages, which may potentially be converted into SQL by
the (opaque) API software, but do not have the ability to support parameterized queries. 
If the reasoning is correct it would indicate that all uses of these client APIs is vulnerable
to SQL injection.  Taken to conclusion, a valid recourse might be removal of the FileNet and
Documentum connector software as well.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message