Context Navigation

+0
← Previous Ticket
Next Ticket →
SqlQueryMacro

Modify ↓

#14392 new defect

SqlMacro security problem / sql injection

Reported by:	martin.p.wyser@…	Owned by:
Priority:	normal	Component:	SqlQueryMacro
Severity:	normal	Keywords:
Cc:		Trac Release:	1.6

Description

The SqlMacro plugin checks that the query (from the user) starts with \s*SELECT, but I can enter a select statement first, and then tack on other statements with a semicolon in postgres, like this:

select 1;
create table my_table (...);
insert into my_table (...) values (...);

The right solution to this is not to parse the statement, but use a connection with a read-only user, or to accept the insecurity and not to check the statement.

Attachments (0)

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as new The ticket will remain with no owner.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: