From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.help Subject: Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way] Date: Mon, 28 Jun 2021 09:56:31 +0300 Message-ID: References: <87pmwgdiyj.fsf@zoho.eu> <83y2b3tq07.fsf@gnu.org> <871r8vcrnm.fsf@posteo.net> <20210621141148.GA29347@tuxteam.de> <20210621211547.GA12274@tuxteam.de> <87lf72vixh.fsf@zoho.eu> <87v9612l2n.fsf@zoho.eu> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="21897"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.0.7+183 (3d24855) (2021-05-28) To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Mon Jun 28 08:58:30 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lxlDw-0005TE-Oj for geh-help-gnu-emacs@m.gmane-mx.org; Mon, 28 Jun 2021 08:58:28 +0200 Original-Received: from localhost ([::1]:44806 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lxlDv-0007fJ-Ph for geh-help-gnu-emacs@m.gmane-mx.org; Mon, 28 Jun 2021 02:58:27 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:46504) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lxlDB-0007f7-6S for help-gnu-emacs@gnu.org; Mon, 28 Jun 2021 02:57:42 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]:55381) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lxlD7-00020F-KY for help-gnu-emacs@gnu.org; Mon, 28 Jun 2021 02:57:40 -0400 Original-Received: from localhost ([::ffff:41.210.146.17]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000055D5B.0000000060D972DF.0000614F; Sun, 27 Jun 2021 23:57:34 -0700 Mail-Followup-To: help-gnu-emacs@gnu.org Content-Disposition: inline In-Reply-To: <87v9612l2n.fsf@zoho.eu> Received-SPF: permerror client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:131321 Archived-At: * Emanuel Berg [2021-06-26 02:31]: > > There is nothing special to SQL then to any other kind of > > user's input. In fact, PostgreSQL and MySQL or MariaDB are > > rather safe databases. > > I think that has turned into a schoolbook example because it > has a cool name and everyone will understand it instantly. > So it can serve the educational purpose to illuminate this in > all of computing to not execute or use user input, without > checking it out first. Indeed it would surprise me if you > could just do it out-of-the-box for modern database management > systems and expect it to be just wide open there for you to > do it. There is way to go and that is by providing parameters that are automatically escaped. pq:query is a module function. (pq:query CONN COMMAND &rest PARAMETERS) Execute COMMAND on CONN with optional PARAMETERS. Run an SQL command on a connection obtained by ‘pq:connectdb’. If PARAMETERS are used, you can reference them in COMMAND using $1, $2, ..., $12. Return the list of rows returned by the last statement in COMMAND. Rows are returned as atomic values if the statement yields a single column, or a vector of values if it yields more than one column. I am anyway SQL escaping all of the input values to database. Since we talked I have moved to better workflow and now I am first preparing one part of the SQL command without user's input and then using the user's input as a parameter that prevents those problems. I just guess it should be similar in MariaDB or MySQL. But I don't use it due to lack of readline and command expansion. > > On the other hand injecting simple malicious Emacs Lisp > > anywhere in any file is as a possible option omni-present on > > Internet, and we don't even speak about that. > > Well, it doesn't work like that, really. It is about the same danger. Practically there was never danger on my side as it is me who is using the database which is motly the case with many database applications. Problem comes with a large users base where malicious people may start doing something to the company or public or unknown crackers or script kiddies. It is better not to classify possible problematic sources and just do it more safe. > > Thousands of users are blindly accepting programs from MELPA > > Ha ha, thousands of users are doing that blindly! My, my. > How many people are doing it with ONE EYE open, you think? Well, without watching in the code. Click and install. There is no real security involved and users don't watch what is being installed, as Internet is large it is quite easy to create a game and make backdoor in Emacs or do other malicious stuff. It is also possible to make a module and do same. Until we know it, we cannot know it. > > Bounty is US $10 from my side if somebody succeeds to SQL > > inject in my software a DROP of a table. > > But where are your tables? Find it for the bounty. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/