From: | barry(at)svr1(dot)postgresql(dot)org (Barry Lind) |
---|---|
To: | pgsql-committers(at)postgresql(dot)org |
Subject: | pgsql-server/src/interfaces/jdbc/org/postgresq ... |
Date: | 2003-08-07 04:03:13 |
Message-ID: | 20030807040313.8490AD1C946@svr1.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
CVSROOT: /cvsroot
Module name: pgsql-server
Changes by: barry(at)svr1(dot)postgresql(dot)org 03/08/07 01:03:13
Modified files:
src/interfaces/jdbc/org/postgresql/jdbc1:
AbstractJdbc1Statement.java
Log message:
Sometimes the third time is the charm. Third try to fix the sql injection
vulnerability. This fix completely removes the ability (hack) of being able
to bind a list of values in an in clause. It was demonstrated that by allowing
that functionality you open up the possibility for certain types of
sql injection attacks. The previous fix attempts all focused on preventing
the insertion of additional sql statements (the semi-colon problem:
xxx; any new sql statement here). But that still left the ability to
change the where clause on the current statement or perform a subselect
which can circumvent applicaiton security logic and/or allow you to call
any stored function.
Modified Files:
jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2003-08-07 04:03:18 | pgsql-server/src/interfaces/ecpg/pgtypeslib Ma ... |
Previous Message | Bruce Momjian | 2003-08-07 03:59:26 | pgsql-server/. HISTORY |