On Wed, Apr 06, 2011 at 12:35:32PM -0700, elij wrote:
> On Wed, Apr 6, 2011 at 12:04 PM, Lukas Fleischer
> <archli...@cryptocrack.de> wrote:
> >> num_comments = random.randrange(PKG_CMNTS[0], PKG_CMNTS[1])
> >> for i in range(0, num_comments):
> >> - fortune =
> >> esc(commands.getoutput(FORTUNE_CMD).replace("'",""))
> >> + fortune = commands.getoutput(FORTUNE_CMD).replace("'","")
> >
> > Why did you drop escape_string() here?
>
> It relies upon mysql, and since the other instance of mysql usage was
> removed by one of my patches, I removed this as well (to remove the
> dep entirely). For dummy data there really isn't a danger of sql
> injection, and removing ' characters from the fortune_cmd result
> string should be enough to keep from causing the written sql to be
> badly formatted.
The problem is not someone actually trying to exploit this but fortunes
containing single quotes which will lead to broken MySQL queries.
There's two things we can do here:
* Keep the mysql-python dependency just for escape_string().
* Implement escape_string() in Python and use it instead (should be no
more than 10 lines).
