| From: | Oliver Jowett <oliver(at)opencloud(dot)com> |
|---|---|
| To: | Barry Lind <blind(at)xythos(dot)com> |
| Cc: | pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Kim Ho <kho(at)redhat(dot)com>, Fernando Nasser <fnasser(at)redhat(dot)com> |
| Subject: | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Date: | 2003-07-23 00:11:06 |
| Message-ID: | 20030723001106.GD31669@opencloud.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On Tue, Jul 22, 2003 at 08:53:36AM -0700, Barry Lind wrote:
> Oliver,
>
> Yes that will no longer work. But syntactically it shouldn't anyway.
> You are passing a set of strings and saying the type is NUMERIC. What
> will still work is passing a set of numeric values:
>
> stmt.setObject(1, "(1, 2, 3)", Types.NUMERIC);
I agree that it makes no sense syntantically, but it *is* a loophole we're
talking about here! Interpreting "(1,2,3)" as a NUMERIC type doesn't make
sense either.
Anyway, if the half-escaping doesn't break anything standard, fine. I'd just
rather not make the driver ugly for the sake of backwards compatibility with
a *subset* of the cases where setObject was used in a non-standard way :)
-O
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Jowett | 2003-07-23 00:14:24 | Re: Detecting 'socket errors' - closing the Connection object |
| Previous Message | Joe Conway | 2003-07-22 21:46:16 | Re: the IN clause saga |