robinluckey-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2007-Feb-02 19:54 UTC
ActiveRecord + Postgres + \000 = BOOM
We''ve been seeing some queries against our Rails website which include the "\000" character in some string params. I don''t know if these are malicious or not, but Postgres does not like them at all, and ActiveRecord does not help us by escaping this character. It''s easy to repro: $ script/console>> Account.find_by_name("\000")ActiveRecord::StatementInvalid: PGError: ERROR: unterminated quoted string at or near "''" at character 50 : SELECT * FROM accounts WHERE (accounts."login" = '''' ) LIMIT 1 It seems that somewhere in the chain, either ActiveRecord or the Postgres connection code should either strip or escape the \000 character. This is pretty difficult problem to google against, but it seems unlikely we''re the only ones with this issue. Anyone? We''re on Edge Rails revision 4798 and PostgreSQL 8.1.6. Thanks, Robin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
robinluckey-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:> We''ve been seeing some queries against our Rails website which include > the "\000" character in some string params. I don''t know if these are > malicious or not, but Postgres does not like them at all, and > ActiveRecord does not help us by escaping this character. > > It''s easy to repro: > > $ script/console > >>> Account.find_by_name("\000") >>> > ActiveRecord::StatementInvalid: PGError: ERROR: unterminated quoted > string at or near "''" at character 50 > : SELECT * FROM accounts WHERE (accounts."login" = '''' ) LIMIT 1 > > It seems that somewhere in the chain, either ActiveRecord or the > Postgres connection code should either strip or escape the \000 > character. > > This is pretty difficult problem to google against, but it seems > unlikely we''re the only ones with this issue. Anyone? > > We''re on Edge Rails revision 4798 and PostgreSQL 8.1.6. > > Thanks, > Robin > > > > > >not much help but it''s known as a "poison null byte" iirc - used for sql injection <runs off to test setup/> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
unfortunately postgresql uses c-strings, and therefore treats binary nulls in a "c way". They could avoid it but haven''t done it so far as far as I know.... -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---