[Van-pm] A couple of bits of local perl news

mock mock at obscurity.org
Tue Oct 17 04:45:35 PDT 2006 

On Mon, Oct 16, 2006 at 10:28:57PM -0700, Alex Pavlovic wrote:
> Hi,
> 
> It is however worth noting, that such attack simply won't work if you are 
> using Cat with plain DBI (traditional model) and placeholders. If you try
> overflowing by sending more arguments then necessary, DBI will complain.
> 
> Simple example:
> 
> my $model = $c->model('MyApp::Model::DBI');
> my $dbh = $model->dbh;
> 
> $dbh->do( 
> 	'UPDATE x SET y = ? WHERE z = ?', 
> 	{}, 
> 	$results->valid($x), 
> 	$results->valid($y) 
> );
> 
> #or
> $dbh->do( 
> 	'UPDATE x SET y = ? WHERE z = ?', 
> 	{}, 
> 	$c->req->param($x),
> 	$c->req->param($y) 
> );
> 
> In this case we expect 2 arguments and no more, if either valid or param for 
> $x or $y returns more then one, DBI will error out with something as 
> following:
> 
> called with ... bind variables when ... are needed
> 
> The problem *really* relates to the code which builds SQL dynamically, 
> especially as illustrated in your example on seclist. One solution to the 
> problem as you point out is to force the result into scalar context.
> 
> The other solution is to abandon $c->req->param completely and switch over to  
> $c->req->parameters if you are on Cat. Then you simply get either scalar or 
> ARRAYREF back, instead of getting a list. ARRAYREF's cant be used without 
> explicit deref, so it solves your problem.
> 

You're right, using traditional DBI.pm you don't have to worry about this.
However, it's important to note two points.  First, SQL injection is not the
only place where this can bite you.  I've already found at least one software
package that puts a 'param' method into a config hash that also contains a
(supposedly) constant path.  Second, this was originally used to make the point
in my talk that what you don't know about the implementation of your ORM can
in fact hurt you.  More specifically, that your ORM can not always protect you
from SQL injection (I've got another example taken from DBIx::Class in my
slides as well).  So yeah, there are plenty of ways to not do the wrong thing.
The problem is that there are also plenty of ways to shoot yourself in the foot,
and programmers being what they are, well...

Ain't google code grand:

http://www.google.com/codesearch?as_q=%5C%24%5Cw%2B-%3Evalid%5C%28&btnG=Search+Code&as_lang=perl&as_license_restrict=i&as_license=&as_package=&as_filename=&as_case=

http://www.google.com/codesearch?as_q=%28%3D%3E%7C%2C%29%5Cs*param%5C%28&btnG=Search+Code&as_lang=perl&as_license_restrict=i&as_license=&as_package=&as_filename=&as_case=

mock

More information about the Vancouver-pm mailing list