On Fri, May 26, 2006 at 01:12:27PM +0200, Federico Di Gregorio wrote:
> Nice, thank you for testing.
You're welcome.
> psycopg 2 already used '' instead of \' and converted data from unicode
> to the backend encoding raising an error in case of broken strings so if
> your app used u"" string you were probably safe. The only way to exploit
The args coming from the web form are generated by twisted.web2 and to
me it looks like they're just a plain ascii string (printing the dict I
don't see the "u" letter before the string).
It's basically like this:
args = { 'myarg' : 'xxx' }
sql = "select something from table where field = %(myarg)s"
runQuery(sql, args)
psycopg2 was invoked by runQuery with "sql" and args, both plain ascii.
I don't actually exclude it could all become unicode if the browser
pushes it in some other way (I use multipart/form-data to handle
multiple choice), but the point is that it should work trasparently
either ways and it could be plain ascii as well.
So it's still unclear to me if I was theoretically vulnerable or not
over the last month (in practice nobody tried to abuse, so I've nothing
to worry about, I'm just being curious ;).
> But if you set your backend to UTF-8 or a multi-byte encoding you're
> using unicode objects in Python and not plain strings, right? :/
I set the backend to UTF-8 primarly because this was the default and
secondly because I thought perhaps it could be helpful in the long term ;)
Thanks.
|
