Actually the more I look at this, the more I think it would be better to log an entry about unescaped chars to the system log and deny the query. At least until the patch (http://cert.uni-stuttgart.de/doc/postgresql/escape/postgresql-escape-2001-0 9-04.diff) has been added to the pgsql mainstream package.
I can return an error message stating why the query was denied. This would also force the developer to monitor their code as well. Like the alert says, this would put the responsibility on the developer. The PAM module should just check for a correctly formed string complete with security check. Any thoughts? ----- Original Message ----- From: David D.W. Dowey <[EMAIL PROTECTED]> To: Leon Breedt <[EMAIL PROTECTED]> Cc: <debian-devel@lists.debian.org> Sent: Wednesday, January 09, 2002 3:14 AM Subject: Re: inactivity, and orphaned packages > This problem looks to be in the libpq itself, not the pam library module > itself. > > I could probably extend the module to include the escape check itself. > Shouldn't hurt any queries adding that check before making submissions, > whether this patch has been added or not. > > Simple check for formatting should do it. > > Want to discuss this fix privately or on the list? Or do you just want me to > take the package and fix on my own? > > Also, who would be sponsering my package once I took this over? Would you be > doing it or do I need to make a request for a different sponser? > > Either is fine for me. All depends on _your_ time allowance. > > > There is a security problem with the way it accesses the database, in that > > single quotes are not escaped. > > > > A discussion of the problem, and a suggested fix, is here: > > > > http://cert.uni-stuttgart.de/advisories/apache_auth.php > > > > I myself don't have the time to look into this... > > > > Regards, > > Leon. > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
