[Dovecot] How to prevent SQL injection
Joseba Torre
joseba.torre at ehu.es
Tue Jan 30 09:33:12 UTC 2007
Hi,
just cleaning the config file, and I found:
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all
characters,
# set this value to empty.
#auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
Aaaaaaaaagur.
El Lunes, 29 de Enero de 2007 23:29, Jochen Schulz escribió:
> Hi,
>
> on my way home today I thought a little bit about my setup which
> involves user and password lookups in an SQL database (Postgres). I
> asked myself whether I need to do anything to prevent SQL injection via
> forged user or domainnames.
>
> In the wiki I didn't find anything specific, only
> http://wiki.dovecot.org/Variables which mentions that there is the %E
> modifier which escapes single quites and backslashes. This appears to be
> a good idea but I am asking myself whether I need to do this since it is
> not mentioned anywhere. Is anybody able to comment on this?
>
> And BTW, it appears that one can use several modifiers at once. This is
> only implicitly mentioned in the wiki (You can apply modifier*s*), but
> it appears to work.
>
> J.
--
Joseba Torre. CIDIR Bizkaia.
More information about the dovecot
mailing list