From: Richard Jones <rich@annexia.org>
To: caml-list@inria.fr
Cc: lwn@lwn.net
Subject: [Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch
Date: Thu, 15 Jan 2004 14:03:24 +0000 [thread overview]
Message-ID: <20040115140324.GA3047@redhat.com> (raw)
A security problem has been found in mod_caml 1.0.5 and earlier which
could lead to a SQL insertion attack on PostgreSQL databases.
mod_caml normally escapes strings before inserting them into
PostgreSQL queries. However a bug was found in this escaping
function. This would allow attackers to craft arbitrary SQL commands
to run against the database.
This is fixed in version 1.0.6, along with some other minor bugfixes,
or you can apply the source patch at the end of this message.
Because savannah.nongnu.org continues to be partially unavailable,
version 1.0.6 is available here:
http://www.annexia.org/tmp/mod_caml-1.0.6.tar.gz (about 74K)
Rich.
----------------------------------------------------------------------
From: http://www.merjis.com/developers/mod_caml/
What is mod_caml?
mod_caml is a set of Objective CAML (OCaml) bindings for the Apache
API. It allows you to run CGI scripts written in OCaml directly inside
the Apache webserver. However, it is much much more than just that:
* Bind to any part of the Apache request cycle.
* Read and modify internal Apache structures.
* Share modules of code between handlers and scripts.
* CGI library and templating system (allows separation of
code and presentation).
* Works with Apache 1.3 and Apache 2.0.
* DBI library for simple database access.
* DBI library can use Perl DBDs (database drivers) [requires
Perl4Caml >= 0.3.6]
----------------------------------------------------------------------
diff -u -r1.11 dbi_postgres.ml
--- dbi_postgres.ml 23 Nov 2003 14:24:57 -0000 1.11
+++ dbi_postgres.ml 15 Jan 2004 13:34:04 -0000
@@ -42,11 +42,16 @@
(* Damn. [Postgres] module doesn't export the PQescapeString function, so
* I've had to write it myself.
*)
-let escape_string s =
- String.concat "" [ "'";
- (Pcre.replace ~pat:"'" ~templ:"''" s);
- "'" ]
+let escape_string =
+ let re1 = Pcre.regexp "'" in (* Double up any single quotes. *)
+ let sub1 = Pcre.subst "''" in
+ let re2 = Pcre.regexp "\\\\" in (* Double up any backslashes. *)
+ let sub2 = Pcre.subst "\\\\" in
+ fun s ->
+ let s = Pcre.replace ~rex:re1 ~itempl:sub1 s in
+ let s = Pcre.replace ~rex:re2 ~itempl:sub2 s in
+ "'" ^ s ^ "'" (* Surround with quotes. *)
(* PCRE regular expressions for parsing timestamps and intervals. *)
let re_timestamp =
----------------------------------------------------------------------
--
Richard Jones. http://www.annexia.org/ http://freshmeat.net/users/rwmj
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
MAKE+ is a sane replacement for GNU autoconf/automake. One script compiles,
RPMs, pkgs etc. Linux, BSD, Solaris. http://www.annexia.org/freeware/makeplus/
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
next reply other threads:[~2004-01-15 14:03 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-15 14:03 Richard Jones [this message]
[not found] ` <4006AC01.F2AD2741@decis.be>
2004-01-15 15:42 ` Richard Jones
2004-01-15 16:19 ` Markus Mottl
2004-01-15 16:53 ` Richard Jones
2004-01-16 6:15 ` james woodyatt
2004-01-16 9:34 ` Richard Jones
2004-01-16 19:05 ` Brian Hurt
2004-01-16 18:52 ` Yutaka OIWA
2004-01-16 19:20 ` Markus Mottl
2004-01-16 19:01 ` Markus Mottl
2004-01-19 10:13 ` Luc Maranget
2004-01-19 11:36 ` Richard Jones
2004-01-19 14:43 ` Luc Maranget
2004-01-19 16:10 ` Richard Jones
2004-01-19 17:46 ` Markus Mottl
2004-01-19 18:05 ` Richard Jones
2004-01-19 21:45 ` Eray Ozkural
2004-01-20 11:31 ` Markus Mottl
2004-01-20 12:30 ` Eray Ozkural
2004-01-21 14:01 ` skaller
2004-01-20 17:34 ` Michal Moskal
2004-01-20 17:52 ` Eray Ozkural
2004-01-20 18:54 ` Michal Moskal
2004-01-20 19:21 ` Markus Mottl
2004-01-20 19:37 ` David Brown
2004-01-20 20:38 ` Eray Ozkural
2004-01-21 19:07 ` Max Kirillov
[not found] ` <Pine.GSO.4.53.0401211150520.10508@cascade.cs.ubc.ca>
2004-01-22 2:15 ` Max Kirillov
2004-01-20 23:00 ` Brian Hurt
2004-01-20 23:48 ` Eray Ozkural
2004-01-21 0:34 ` David Brown
2004-01-21 2:32 ` Eray Ozkural
2004-01-21 2:34 ` Eray Ozkural
2004-01-21 2:34 ` Shawn Wagner
2004-01-21 9:43 ` Andreas Rossberg
2004-01-21 5:16 ` Brian Hurt
2004-01-19 21:59 ` Kenneth Knowles
2004-01-19 18:18 ` David Brown
2004-01-19 19:15 ` Markus Mottl
2004-01-19 19:19 ` David Brown
[not found] ` <20040119185746.A12690@beaune.inria.fr>
2004-01-19 18:07 ` Richard Jones
2004-01-20 1:29 ` skaller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040115140324.GA3047@redhat.com \
--to=rich@annexia.org \
--cc=caml-list@inria.fr \
--cc=lwn@lwn.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).