I am working on a fix to the postgres module for the recent postgresql security issue. Its a pretty significant problem, allowing SQL injections whenever people are using multi-byte character encodings. Is there a formal security announcement process or anything I should be aware of?
And while talking about postgres, has Postgres.postgres been deprecated long enough that it can be removed in 7.7 and merged with Sql.postgres into a single module?
Adam
Normally we just conduct all security discussions without hiding anything. If you see that it might lead to problems for open installations out there send a private message to me or Martin Nilsson. We can probably make sure that there at least is a new source build available 1h or so after a fix is checked in if we decide a date and time in advance.
On Thu, 25 May 2006 00:25:01 +0000 (UTC) "Peter Bortas @ Pike developers forum" 10353@lyskom.lysator.liu.se wrote:
Normally we just conduct all security discussions without hiding anything. If you see that it might lead to problems for open installations out there send a private message to me or Martin Nilsson. We can probably make sure that there at least is a new source build available 1h or so after a fix is checked in if we decide a date and time in advance.
Well, I checked in a fix for 7.6 and 7.7 yesterday. The problem will affect anyone using the postgres module to connect to a database that is using a multi-byte character encoding, or utf8. It allows people to bypass the quoting of SQL characters like ', so SQL injection is possible even when people are using the pike module properly to try to prevent that.
Adam
Ok. It's a bank holliday in Sweden today, so I'm already looking at another beta this evening.
pike-devel@lists.lysator.liu.se
-
Adam Montague -
Peter Bortas @ Pike developers forum