Forum OpenACS Q&A: pgdriver and slashes

Collapse
Posted by David Walker on
postgres accepting as an escape character seems to be causing little troubles in various places. for example one of my posts today contained a
Collapse
Posted by Dan Wickstrom on
The db driver is not the appropriate place to fix this problem.  It should be fixed in the .tcl layer.
Collapse
Posted by David Walker on
I'll grant you that it is inappropriate.  However, looking at the amount of work required to escape every backslash in an insert or update string at the tcl layer or to do it at the driver level one time and the fact that it simplifies future porting efforts it seems more cost effective (where time=money).
Collapse
Posted by David Walker on
OK. this morning I created a working security breach using the ability of to escape things in postgres. (If you're using unencrypted passwords I can view them, if you're using encrypted I can only view the encrypted version)

I know about DoubleApos. are there possibly any inserts that don't use it?

and for a change this small is it still recommended to build a patch and upload it?

Here is the new DoubleApos function to escape s.
(escaped for pg. if reading in email reduce the s by one half)
proc DoubleApos {string} {
    regsub -all ' "$string" '' result1
    regsub -all {\} "$result1" {\\} result
    return $result
}

Collapse
Posted by Don Baccus on
"and for a change this small is it still recommended to build a patch and upload it?"

Well, if you don't, someone else has to, right ???

I should change the driver to escape them in the case where we're doing bind-variable emulation (":tcl_var").  We should really treat strings inserted into the database as being SQL92 standard input.

Mind sharing details as to the security breach you've found?

Collapse
Posted by David Walker on
putting a \' into a text field allows you to break out (the \
escapes the first ' and the second ' ends the field.).
I used the section for updating user info and set the
portrait_comment=(select password from users where user_id=x)

your message then ends with something like

\', portrait_comment=(select password from users where user_id=x) --

Collapse
Posted by David Walker on
Collapse
Posted by Don Baccus on
Ugh, that's a pretty nasty little exploit ...
Collapse
Posted by David Walker on
Well I generated my one line of code for the day.  I think I'll take
a break now.
As far as I know, posting literal backslashes into the OpenACS BBoards is still a problem, due to Postgres interpreting them as escape characters. So FYI, here's the trivial little proc I run my code snippets through before posting them here
ad_proc dtk_openacs_bboard_quotehtml { string } {
   This takes a string (which is probably a code snippet) and converts
   it to something that will look right as HTML on the OpenACS bboard.
   It escapes any HTML in the string, and since backslashes currently
   get eaten up by Postgres, it <em>also</em> replaces all single
   backslashes with double backslashes.

   <p>
   Basically, if you want to post a code snippet on the
   <a href="https://openacs.org/bboard/">OpenACS BBoards</a>,
   run the code through this procedure, and then stick the result
   insite &lt;pre&gt; tags.

   @author Andrew Piskorski (atp@piskorski.com)
   @date 2002/04/09
} {
   set code_2 [ns_quotehtml $string]
   set n_regsubs [regsub -all -- {\} $code_2 {\\} code_2]
   return $code_2
}

Note that the regsub command above should show 2 and then 4 backslashes - we'll see if my little proc works for posting itself. :)

Collapse
Posted by Jade Rubick on
It looks fine on the web, but the email alerts show 4 and 8 backslashes. :)
Collapse
Posted by Don Baccus on
Just a note: this isn't a problem with OpenACS 4.5 as long as you use the bind variable emulation convention.  All necessary escaping and doubling of apostrophes are done by the driver in this case.
Collapse
Posted by David Walker on
My patch should cover bboards.  BBoards uses QQ variables which are
created by calling the DoubleApos function that my patch modifies.