Hi,
on my way home today I thought a little bit about my setup which
involves user and password lookups in an SQL database (Postgres). I
asked myself whether I need to do anything to prevent SQL injection via
forged user or domainnames.
In the wiki I didn't find anything specific, only
http://wiki.dovecot.org/Variables which mentions that there is the %E
modifier which escapes single quites and backslashes. This appears to be
a good idea but I am asking myself whether I need to do this since it is
not mentioned anywhere. Is anybody able to comment on this?
And BTW, it appears that one can use several modifiers at once. This is
only implicitly mentioned in the wiki (You can apply modifier*s*), but
it appears to work.
J.
--
Ultimately, the Millenium Dome is a spectacular monument of the
doublethink of our times.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070129/f4679428/attachment.bin>
Quoting Jochen Schulz:> on my way home today I thought a little bit about my setup which > involves user and password lookups in an SQL database (Postgres). I > asked myself whether I need to do anything to prevent SQL injection via > forged user or domainnames.RTSL! Every sql driver has its own escape function, which is called for every %var string. This was discussed before: http://dovecot.org/list/dovecot/2006-November/017610.html
Hi, just cleaning the config file, and I found: # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ Aaaaaaaaagur. El Lunes, 29 de Enero de 2007 23:29, Jochen Schulz escribi?:> Hi, > > on my way home today I thought a little bit about my setup which > involves user and password lookups in an SQL database (Postgres). I > asked myself whether I need to do anything to prevent SQL injection via > forged user or domainnames. > > In the wiki I didn't find anything specific, only > http://wiki.dovecot.org/Variables which mentions that there is the %E > modifier which escapes single quites and backslashes. This appears to be > a good idea but I am asking myself whether I need to do this since it is > not mentioned anywhere. Is anybody able to comment on this? > > And BTW, it appears that one can use several modifiers at once. This is > only implicitly mentioned in the wiki (You can apply modifier*s*), but > it appears to work. > > J.-- Joseba Torre. CIDIR Bizkaia.
Hi Jochen,> In the wiki I didn't find anything specific, only > http://wiki.dovecot.org/Variables which mentions that there is the %E > modifier which escapes single quites and backslashes. This appears to be > a good idea but I am asking myself whether I need to do this since it is > not mentioned anywhere. Is anybody able to comment on this?Escaping is a nice mitigation. But the method of choice ist are prepared statements (either in stored procedures or in the application). This is not only more secure than dynamically building SQL statements but also a bit faster. In fact it can accelerate the app even more since no escaping is needed then. Hopefully Dovecot is already doing it that way. J?rgen