[ https://issues.apache.org/jira/browse/CONNECTORS-128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Wright resolved CONNECTORS-128. ------------------------------------ Resolution: Fixed Fix Version/s: ManifoldCF 0.1 Grant indicates that it is acceptable to leave the FileNet and Documentum connectors at this time. > ManifoldCF should be armored against any possibility of SQL injection > --------------------------------------------------------------------- > > Key: CONNECTORS-128 > URL: https://issues.apache.org/jira/browse/CONNECTORS-128 > Project: ManifoldCF > Issue Type: Bug > Components: Documentum connector, FileNet connector, Framework > agents process, Framework core > Affects Versions: ManifoldCF 0.1 > Reporter: Karl Wright > Fix For: ManifoldCF 0.1 > > > ManifoldCF uses SQL. Quoted string fields in SQL might be unsafe because it > might be possible to override the intended statement with stuff from the > parameter. A method in the SQL abstraction layer called quoteSQLString() is > supposed to safely quote a SQL string to avoid any possibility of this > occurring, but PostgreSQL is configurable in how it handles quotes, and if > the wrong setting is selected, quoteSQLString() becomes vulnerable. > Rather than make quoteSQLString() work properly, or using it solely in > conjunction with constant values (as is currently the case), it has been > decided that the very existence of this method is a security risk, and thus > the method and all uses must be removed. The reasoning behind this is that > quoting of strings is inherently unsafe because quoting methods cannot be > made to be correct. (This claim is not accepted by everyone, for what it is > worth). > This is unfortunate because several connectors (Documentum and FileNet > specifically) use APIs that require the use of SQL-like languages, which may > potentially be converted into SQL by the (opaque) API software, but do not > have the ability to support parameterized queries. If the reasoning is > correct it would indicate that all uses of these client APIs is vulnerable to > SQL injection. Taken to conclusion, a valid recourse might be removal of the > FileNet and Documentum connector software as well. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.