ManifoldCF should be armored against any possibility of SQL injection ---------------------------------------------------------------------
Key: CONNECTORS-128 URL: https://issues.apache.org/jira/browse/CONNECTORS-128 Project: ManifoldCF Issue Type: Bug Components: Documentum connector, FileNet connector, Framework agents process, Framework core Reporter: Karl Wright ManifoldCF uses SQL. Quoted string fields in SQL might be unsafe because it might be possible to override the intended statement with stuff from the parameter. A method in the SQL abstraction layer called quoteSQLString() is supposed to safely quote a SQL string to avoid any possibility of this occurring, but PostgreSQL is configurable in how it handles quotes, and if the wrong setting is selected, quoteSQLString() becomes vulnerable. Rather than make quoteSQLString() work properly, or using it solely in conjunction with constant values (as is currently the case), it has been decided that the very existence of this method is a security risk, and thus the method and all uses must be removed. The reasoning behind this is that quoting of strings is inherently unsafe because quoting methods cannot be made to be correct. (This claim is not accepted by everyone, for what it is worth). This is unfortunate because several connectors (Documentum and FileNet specifically) use APIs that require the use of SQL-like languages, which may potentially be converted into SQL by the (opaque) API software, but do not have the ability to support parameterized queries. If the reasoning is correct it would indicate that all uses of these client APIs is vulnerable to SQL injection. Taken to conclusion, a valid recourse might be removal of the FileNet and Documentum connector software as well. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.