[prev in list] [next in list] [prev in thread] [next in thread]
List: proftpd-committers
Subject: [ProFTPD-committers] CVS: proftpd/contrib mod_sql_mysql.c,1.21,1.22 mod_sql_postgres.c,1.16,1.17
From: TJ Saunders <castaglia () users ! sourceforge ! net>
Date: 2003-06-28 17:14:13
[Download RAW message or body]
Update of /cvsroot/proftp/proftpd/contrib
In directory sc8-pr-cvs1:/tmp/cvs-serv26582/contrib
Modified Files:
mod_sql_mysql.c mod_sql_postgres.c
Log Message:
Add comments about provide proper escapestring implementations. Failure
to do so allows SQL injection.
Index: mod_sql_mysql.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/contrib/mod_sql_mysql.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- mod_sql_mysql.c 29 May 2003 07:29:43 -0000 1.21
+++ mod_sql_mysql.c 28 Jun 2003 17:14:11 -0000 1.22
@@ -1185,8 +1185,9 @@
* the database documentation and figure it out) to do the conversion
* themselves in this function.
*
- * At the very least, a backend MUST simply copy the data from argv[0]
- * into the data field of the modret.
+ * A backend MUST supply a working escapestring implementation. Simply
+ * copying the data from argv[0] into the data field of the modret allows
+ * for possible SQL injection attacks when this backend is used.
*/
MODRET cmd_escapestring(cmd_rec * cmd)
{
Index: mod_sql_postgres.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/contrib/mod_sql_postgres.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- mod_sql_postgres.c 17 Jun 2003 20:54:16 -0000 1.16
+++ mod_sql_postgres.c 28 Jun 2003 17:14:11 -0000 1.17
@@ -1077,8 +1077,9 @@
* the database documentation and figure it out) to do the conversion
* themselves in this function.
*
- * At the very least, a backend MUST simply copy the data from argv[0]
- * into the data field of the modret.
+ * A backend MUST supply a working escapestring implementation. Simply
+ * copying the data from argv[0] into the data field of the modret allows
+ * for possible SQL injection attacks when this backend is used.
*/
MODRET cmd_escapestring(cmd_rec * cmd) {
conn_entry_t *entry = NULL;
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
ProFTPD Committers Mailing List
proftpd-committers@proftpd.org
https://lists.sourceforge.net/lists/listinfo/proftp-committers
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic