Hi!
On 2004-05-13 19:43 +0200, Peter Eisentraut wrote:
> Silently truncating various pieces of information is probably not the
> right thing.
But IMHO still better than overwriting arbitrary other data and code.
If an user supplies bogus input, he cannot expect to get something
sane out.
> What are you truncating?
By now:
- DSN, username, password, and the whole connection string;
- table names in info.c:
make_string(szTableName, cbTableName, pktab, sizeof(pktab));
- Two calls in info.c:
make_string(szPkTableName, cbPkTableName, pk_table_needed, sizeof(pk_table_needed));
make_string(szFkTableName, cbFkTableName, fk_table_needed, sizeof(fk_table_needed));
If these values should not be truncated, then psqlodbc should not use
fixed buffer sizes. Currently truncating them is way more sane than
letting them mess up the whole memory.
> If it's a query string you might open yourself up to SQL-injection
> type problems.
I don't think that the patch affects whole query strings, but of
course I may be wrong. The point of this patch was to fix the most
apparent overflows with least possible changes, and after a week of
silence on the lists I just had to do something about it. And now at
least the connection and exec methods seem to work safely.
> Plus, the ODBC driver appears to have buffer overruns all over the
> place. We need to replace every instance of strcpy, strcat, sprintf,
> make_string, and the various other feeble attempts with pqexpbuffer
> from libpq. That's the only way to solve this problem once and for
> all.
I would be glad if the next psqlodbc version would be written in a
sane way, without fixed string lengths and with a clear and safe
string "class" interface. But doing this is far beyond the scope of a
security patch (especially for Debian stable).
One question: which mailing list is the better place to discuss this?
-odbc or -bugs?
Thanks and have a nice day!
Martin
--
Martin Pitt Debian GNU/Linux Developer
martin@piware.de mpitt@debian.org
http://www.piware.de http://www.debian.org
