On Wed, Oct 13, 2021 at 03:35:22PM -0400, post...@ptld.com wrote: > > Also since this is table lookup and AFAIK postfix doesn't have to > > write anything on it, so you can give SELECT only right. > > Least privileges are the key... > > > > So even if there is a clever guy that found a way to escape and send > > SQL injection he can never insert something.. end of the game for this > > guy... > > Yes, im using socket auth with only select privileges but i still would not > want someone having read access to user data. Not sure if there is a way to > for an attacker to have data parsed back to them same like in a browser with > PHP injections. But i don't know what i don't know so i assume it might be > possible. > > I am really loving the new socket auth so i no longer have plain text > passwords stored in /etc/postfix/ files, the sql user doesn't even have a > password set.
The mysql_table(5) manpage (http://www.postfix.org/mysql_table.5.html) says: %s This is replaced by the input key. SQL quoting is used to make sure that the input key does not add unexpected metacharacters. and: SELECT [select_field] FROM [table] WHERE [where_field] = '%s' [additional_conditions] The '%s' in the WHERE clause expands to the escaped search string. This is saying that the user needs to add single quotes around %s, and Postfix will escape the characters represented by %s between those single quotes. So Postfix does protect you from SQL injection. It uses MySQL's mysql_real_escape_string function to perform the escaping (https://mariadb.com/kb/en/mysql_real_escape_string/). cheers, raf
