Hello list. I'm thinking to migrate the hole user db from system users to mysql. I already did it in a test environment, but something is annoying my OCD... I don't quote the variables username and password sent to the mysql server. I know, the mysql user that dovecot uses only has select rights, but it stills bother me, because its possible to do an useless sql code injection. Is there a way to quote that? Something like exim's quote_mysql? Saludos, Juan.
Am 02.02.2015 um 18:07 schrieb Juan Bernhard:> Hello list. I'm thinking to migrate the hole user db from system users > to mysql. I already did it in a test environment, but something is > annoying my OCD... I don't quote the variables username and password > sent to the mysql server. I know, the mysql user that dovecot uses only > has select rights, but it stills bother me, because its possible to do > an useless sql code injection. > > Is there a way to quote that? Something like exim's quote_mysql?there is not much to quote when dovecot accepts only a limited set of chars at all and otherwise don't send any query auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@% auth_username_translation = %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150202/ddf75b48/attachment.sig>
> Am 02.02.2015 um 18:07 schrieb Juan Bernhard: >> Hello list. I'm thinking to migrate the hole user db from system users >> to mysql. I already did it in a test environment, but something is >> annoying my OCD... I don't quote the variables username and password >> sent to the mysql server. I know, the mysql user that dovecot uses only >> has select rights, but it stills bother me, because its possible to do >> an useless sql code injection. >> >> Is there a way to quote that? Something like exim's quote_mysql? > > there is not much to quote when dovecot accepts only a limited set of > chars at all and otherwise don't send any query > > auth_username_chars > abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@% > auth_username_translation > %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz >The password is not subjet to this limitation. Im not an sql expert, i still *think* that there is nothing to worry about... but im not 100% sure.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 2 Feb 2015, Juan Bernhard wrote:> Hello list. I'm thinking to migrate the hole user db from system users > to mysql. I already did it in a test environment, but something is > annoying my OCD... I don't quote the variables username and password > sent to the mysql server. I know, the mysql user that dovecot uses only > has select rights, but it stills bother me, because its possible to do > an useless sql code injection. > > Is there a way to quote that? Something like exim's quote_mysql?http://dovecot.org/list/dovecot/2006-November/017610.html - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVNB2u3z1H7kL/d9rAQLlRgf9F8Uxvw1aF9eDTdjdhFtlst8rFADqQGlc 8X3v0GhTXMlTMzyzH3upATYgW9LV/okwX5WgS1ns/aVlna6s54vOLxUIbBA+Wqo1 ATIMQh5akOWa1ppAw3hV/1X4Lwn4joV6vRlMP2I8SW7RoxST7s1rywIq2YFbYD/f rl6zS5j/3vayeUu9JgCxuRZiD5kQnfLL0OhUIczB7P+K8933qZhZa6TFdUiZk1nl +gJk9chVgAJ4I3RDlOe3/ULK1Sx1QOTht7uuxgZEM//XXBBkL2foPgyKZ9dnXK6B javG7kq60Zzt+qRl4CcEnC7gdbYoEhVm2gYwpwWtFQCKYtE14pTnPw==QCC5 -----END PGP SIGNATURE-----