Forum OpenACS Q&A: security issue: pgdriver and slashes

Posted by David Walker on
OK. this morning I created a working security breach using the ability of to escape things in postgres. (If you're using unencrypted passwords I can view them, if you're using encrypted I can only view the encrypted version)

I know about DoubleApos. are there possibly any inserts that don't use it?

and for a change this small is it still recommended to build a patch and upload it?

Here is the new DoubleApos function to escape s.
(escaped for pg. if reading in email reduce the s by one half)
proc DoubleApos {string} {
    regsub -all ' "$string" '' result1
    regsub -all {\} "$result1" {\\} result
    return $result