From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.help Subject: Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way] Date: Tue, 22 Jun 2021 03:47:04 +0300 Message-ID: References: <87pmwgdiyj.fsf@zoho.eu> <83y2b3tq07.fsf@gnu.org> <871r8vcrnm.fsf@posteo.net> <20210621141148.GA29347@tuxteam.de> <20210621211547.GA12274@tuxteam.de> <87lf72vixh.fsf@zoho.eu> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="29019"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.0.7+183 (3d24855) (2021-05-28) To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Tue Jun 22 02:52:03 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lvUe2-0007KJ-12 for geh-help-gnu-emacs@m.gmane-mx.org; Tue, 22 Jun 2021 02:52:02 +0200 Original-Received: from localhost ([::1]:38868 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lvUdz-0001uq-Tq for geh-help-gnu-emacs@m.gmane-mx.org; Mon, 21 Jun 2021 20:51:59 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:55762) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lvUdJ-0001uh-Fm for help-gnu-emacs@gnu.org; Mon, 21 Jun 2021 20:51:17 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]:52471) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lvUdH-0006DH-Mp for help-gnu-emacs@gnu.org; Mon, 21 Jun 2021 20:51:17 -0400 Original-Received: from localhost ([::ffff:197.157.0.61]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000075C65.0000000060D13400.0000234D; Mon, 21 Jun 2021 17:51:12 -0700 Mail-Followup-To: help-gnu-emacs@gnu.org Content-Disposition: inline In-Reply-To: <87lf72vixh.fsf@zoho.eu> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:131175 Archived-At: * Emanuel Berg via Users list for the GNU Emacs text editor [2021-06-22 03:32]: > Jean Louis wrote: > > > I agree on that. But we cannot possibly expect all possible > > dangers to be known by all possible programmers at all times > > especially on this mailing list > > OK, so the SQL injection is a common attack vector, but what > should we call this issue? It is probably lack of database administration skills. It is nothing related to Emacs really. There is nothing special to SQL then to any other kind of user's input. In fact, PostgreSQL and MySQL or MariaDB are rather safe databases. If user does not have permission to DROP tables or do something malicious, then it does not have it, finished there. One can try it, but it will not work. On the other hand injecting simple malicious Emacs Lisp anywhere in any file is as a possible option omni-present on Internet, and we don't even speak about that. Thousands of users are blindly accepting programs from MELPA or any kind of ELPA without knowing what is going to happen with the data. And then we worry about possible SQL injections in Emacs Lisp. I just wonder how and where SQL injection. Is it maybe by malicious staff members versed in PostgreSQL? Or maybe Emacs Lisp running some sensitive data online (without backup) being exposed to online crackers trying to cheat the code and DROP some tables or do other bad stuff? It is so unlikely to take place. Bounty is US $10 from my side if somebody succeeds to SQL inject in my software a DROP of a table. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/