[syslog-ng]Backslash-escaped quotes in message strings

Balazs Scheidler syslog-ng@lists.balabit.hu
Tue, 11 Nov 2003 18:32:01 +0100


On Tue, Nov 11, 2003 at 10:55:16AM +0100, Peter J. Holzer wrote:
> On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
> > Setting the default for 'no' in templates is a security issue when sending
> > the template output to a database server (fairly common setup), imagine
> > an SQL query like:
> > 
> > INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');
> > 
> > if the quotation mark is not protected by a backslash, the DROP DATABASE
> > command will be executed. I think this scenario is less visible to a normal
> > user, at least it is more difficult to notice this possibility.
> 
> The proper quoting depends on the database, however. For example, Oracle
> doesn't recognize a backslash as quoting character:
> 
>     SQL> insert into foo values('foo\'bar');
>     ERROR:
>     ORA-01756: quoted string not properly terminated
> 
> you have to double the single quotes:
> 
>     SQL> insert into foo values('foo''bar');
> 
>     1 row created.
> 
> I think this is also ANSI SQL, the backslash is a mysql extension.

thanks for the info, I've added a bug ticket to our bugzilla, this will be
added in the future.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1