On Fri, 30 Jun 2006, Timothy White wrote:
On 6/28/06, Timothy White <weirdit@gmail.com> wrote:
I just realised that it may be possible to exploit the snprintf and send strange commands to the server, for this reason, the user that the plugin uses, should only be able to run the 2 procedure's. I have no idea how to make this secure, or if it is secure or not. Any ideas? (e.g. snprintf(query, 20+MAXSIGLEN, "CALL SPAM(\"%s\")", signature); If someone modifies the header, as long as it's within the MAXSIGLEN then they can effect the query?)
Anyone got ideas/comments on this?
Dunno what you exactly mean, but when the signature is user-specified, you have to:
a) sanities the contents, so it cannot break out of the quotes, e.g. you have to quote embedded quotes and escape characters, and b) you must ensure that strlen(signatures) < 20+MAXSIGLEN - strlen(pattern)
Bye,
-- Steffen Kaiser