ここの情報は古いです。ご理解頂いた上でお取り扱いください。

Opened 15 years ago

Closed 15 years ago

#1533 closed defect (wontfix)

DB接続時のSET NAMESクエリにSQLインジェクションの危険がある

Reported by: ebihara Owned by: nobody
Priority: minor Milestone:
Component: その他 Version: 2.8.x & 2.10.x & 2.11.x
Keywords: Cc:

Description

関連チケット:#1510

OpenPNE_DB::_connect()で SET NAMES クエリを実行しているが、SQLインジェクションの危険がある可能性があり、好ましくない。

Change History (3)

comment:1 Changed 15 years ago by ebihara

とはいえ、UTF-8でも起こりうるかどうかは怪しいところです(もちろん mysql_set_charset() が使えるなら使った方がよいのはたしかですが)。

参考:http://www.postgresql.org/docs/techdocs.50

The widely-used practice of escaping ASCII single quote "'" by turning it into "\'" is unsafe when operating in multibyte encodings that allow 0x5c (ASCII code for backslash) as the trailing byte of a multibyte character; this includes at least SJIS, BIG5, GBK, GB18030, and UHC. An application that uses this conversion while embedding untrusted strings in SQL commands is vulnerable to SQL-injection attacks if it communicates with the server in one of these encodings. While the standard client libraries used with PostgreSQL have escaped "'" in the safe, SQL-standard way of "''" for some time, the older practice remains common. As of PostgreSQL versions 8.1.4, 8.0.8, 7.4.13, 7.3.15, the server has been modified to reject "\'" when the client is using one of these encodings. This does NOT in itself fix all variants of the problem, but it will make it obvious that such a client is broken and in need of repair. A possible workaround for affected clients is to avoid use of the vulnerable character encodings.

comment:2 Changed 15 years ago by kiwa

Keywords: OpenPNE2.8.10 OpenPNE2.11.5 added
Milestone: OpenPNE2.10.5

comment:3 Changed 15 years ago by ebihara

Keywords: OpenPNE2.8.10 OpenPNE2.11.5 removed
Milestone: OpenPNE2.10.5
Resolution: wontfix
Status: newclosed

PHP4系をサポートしなければならない以上、OpenPNE2.x での対応は困難です。

UTF-8を使っている限り致命的な問題ではないので、wontfixでクローズすることにします。

Note: See TracTickets for help on using tickets.