Hi all,
I was wondering if there is some kind of security announcements mailing
list or anything where we could be informed of security issues directly
from the horse's mouth? :) I did join the mailing list after 0.7.0 was
released so I can't tell if this particular issue was mentioned, a quick
google search of the group archives suggests it was not.
While this does not affect me because my apps use 0.7.5, I've just
learned today, through CentOS/RH updates, about SQL injection
vulnerability in versions prior to 0.7.0b wrt LIMIT and OFFSET clauses
not being sanitized.
https://bugzilla.redhat.com/show_bug.cgi?id=783305
The SQLA changelog does mention this:
The limit/offset keywords to select() as well
as the value passed to select.limit()/offset()
will be coerced to integer. [ticket:2116]
(also in 0.6.7)
I do read changelogs when I install/upgrade, but not coercing values is
not the same as allowing SQL injection, ie. if string param was used, it
should be properly escaped / bound, no? So this particular entry did not
alarm me, especially since I always manually coerce integer input params
to ints, a habit I developed in my PHP days.
Looking through the patches I see integer_or_raise() was added to SQL
expressions (and utils) which is great, and I'm not sure whether
Postgresql dialect had the same vuln as the mentioned Oracle dialect (in
ticket 2116), as I'm using Postgres exclusively, and I'm not sure where
to even begin looking.
Still, I wonder if there are more holes? Not a critique, just an honest
question: I thought SQLA always used binding?
Thanks,
--
.oO V Oo.
--
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to sqlalchemy@googlegroups.com.
To unsubscribe from this group, send email to
sqlalchemy+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en.