manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] Updated: (CONNECTORS-128) ManifoldCF should be armored against any possibility of SQL injection
Date Mon, 13 Dec 2010 23:16:03 GMT

     [ https://issues.apache.org/jira/browse/CONNECTORS-128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Karl Wright updated CONNECTORS-128:
-----------------------------------

    Affects Version/s: ManifoldCF 0.1

> ManifoldCF should be armored against any possibility of SQL injection
> ---------------------------------------------------------------------
>
>                 Key: CONNECTORS-128
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-128
>             Project: ManifoldCF
>          Issue Type: Bug
>          Components: Documentum connector, FileNet connector, Framework agents process,
Framework core
>    Affects Versions: ManifoldCF 0.1
>            Reporter: Karl Wright
>
> ManifoldCF uses SQL.  Quoted string fields in SQL might be unsafe because it might be
possible to override the intended statement with stuff from the parameter.  A method in the
SQL abstraction layer called quoteSQLString() is supposed to safely quote a SQL string to
avoid any possibility of this occurring, but PostgreSQL is configurable in how it handles
quotes, and if the wrong setting is selected, quoteSQLString() becomes vulnerable.
> Rather than make quoteSQLString() work properly, or using it solely in conjunction with
constant values (as is currently the case), it has been decided that the very existence of
this method is a security risk, and thus the method and all uses must be removed.  The reasoning
behind this is that quoting of strings is inherently unsafe because quoting methods cannot
be made to be correct.  (This claim is not accepted by everyone, for what it is worth).
> This is unfortunate because several connectors (Documentum and FileNet specifically)
use APIs that require the use of SQL-like languages, which may potentially be converted into
SQL by the (opaque) API software, but do not have the ability to support parameterized queries.
 If the reasoning is correct it would indicate that all uses of these client APIs is vulnerable
to SQL injection.  Taken to conclusion, a valid recourse might be removal of the FileNet and
Documentum connector software as well.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message