ManifoldCF should be armored against any possibility of SQL injection
---------------------------------------------------------------------
Key: CONNECTORS-128
URL: https://issues.apache.org/jira/browse/CONNECTORS-128
Project: ManifoldCF
Issue Type: Bug
Components: Documentum connector, FileNet connector, Framework agents
process, Framework core
Reporter: Karl Wright
ManifoldCF uses SQL. Quoted string fields in SQL might be unsafe because it
might be possible to override the intended statement with stuff from the
parameter. A method in the SQL abstraction layer called quoteSQLString() is
supposed to safely quote a SQL string to avoid any possibility of this
occurring, but PostgreSQL is configurable in how it handles quotes, and if the
wrong setting is selected, quoteSQLString() becomes vulnerable.
Rather than make quoteSQLString() work properly, or using it solely in
conjunction with constant values (as is currently the case), it has been
decided that the very existence of this method is a security risk, and thus the
method and all uses must be removed. The reasoning behind this is that quoting
of strings is inherently unsafe because quoting methods cannot be made to be
correct. (This claim is not accepted by everyone, for what it is worth).
This is unfortunate because several connectors (Documentum and FileNet
specifically) use APIs that require the use of SQL-like languages, which may
potentially be converted into SQL by the (opaque) API software, but do not have
the ability to support parameterized queries. If the reasoning is correct it
would indicate that all uses of these client APIs is vulnerable to SQL
injection. Taken to conclusion, a valid recourse might be removal of the
FileNet and Documentum connector software as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
