Re: [Repoze-dev] repoze.who config substituted variables

Mon, 22 Mar 2010 03:57:14 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell Sim wrote:
> Hi,
> 
> I have tried using the config example from
> http://docs.repoze.org/who/2.0/configuration.html#configuring-repoze-who-via-config-file
> and I get a ConfigParser exception.
> 
> ConfigParser.InterpolationMissingOptionError: Bad value substitution:
>       section: [plugin:sqlusers]
>       option : query
>       key    : login
>       rawval : "SELECT userid, password FROM users where login = %(login)s;"
> 
> Obviously the %(login)s variable is supposed to be substituted at a
> later time, not during the configuration parsing so I did a bit of
> digging and found a related ticket
> http://trac.pythonpaste.org/pythonpaste/ticket/379 that suggests using
> the SafeConfigParser instead of ConfigParser because it supports
> escaping substituted variables like %%(login)s
> 
> Is there a way to use substituted variables without changing the parser?

You can pass 'raw=True' to the parser's 'get' method, e.g.:

 $ cd /tmp/
 $ cat > foo.ini
 [sql]
 login = SELECT userid, password FROM users WHERE login = %(login)s
 $ python
 ...
 >>> from ConfigParser import ConfigParser
 >>> cp = ConfigParser()
 >>> cp.read('foo.ini')
 ['foo.ini']
 >>> cp.get('sql', 'login', raw=True)
 'SELECT userid, password FROM users WHERE login = %(login)s'

However, using "bare" Python string interpolation to generate SQL using
values supplied by the requast is likely to be a security problem (SQL
injection).  Are you sure that you can't configure the plugin to use the
DBAPI standard for parameterized SQL queries?  E.g.:

  SELECT userid, password FROM users WHERE login = ?

and then pass the value through as a positional argument?


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkunTQIACgkQ+gerLs4ltQ6qGQCeMp4+MbhcJxBGAsxLPfW9lule
ofsAniRrd6odiMR/xMCmU2sfz55EYxnP
=VmVu
-----END PGP SIGNATURE-----
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to