From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id PAA12276; Thu, 15 Jan 2004 15:03:27 +0100 (MET) X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id PAA12735 for ; Thu, 15 Jan 2004 15:03:26 +0100 (MET) Received: from aomori.annexia.org (annexia.force9.co.uk [212.56.101.183]) by concorde.inria.fr (8.11.1/8.11.1) with ESMTP id i0FE3P525188 for ; Thu, 15 Jan 2004 15:03:25 +0100 (MET) Received: from rich by aomori.annexia.org with local (Exim 3.36 #1 (Debian)) id 1Ah85k-0000x0-00; Thu, 15 Jan 2004 14:03:24 +0000 Date: Thu, 15 Jan 2004 14:03:24 +0000 To: caml-list@inria.fr Cc: lwn@lwn.net Subject: [Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch Message-ID: <20040115140324.GA3047@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i From: Richard Jones X-Loop: caml-list@inria.fr X-Spam: no; 0.00; escapes:01 inserting:01 bug:01 bugfixes:01 caml-:01 api:01 templating:01 2.0.:01 dbi:99 dbi:99 postgres:01 postgres:01 2004:99 pcre:01 templ:01 Sender: owner-caml-list@pauillac.inria.fr Precedence: bulk A security problem has been found in mod_caml 1.0.5 and earlier which could lead to a SQL insertion attack on PostgreSQL databases. mod_caml normally escapes strings before inserting them into PostgreSQL queries. However a bug was found in this escaping function. This would allow attackers to craft arbitrary SQL commands to run against the database. This is fixed in version 1.0.6, along with some other minor bugfixes, or you can apply the source patch at the end of this message. Because savannah.nongnu.org continues to be partially unavailable, version 1.0.6 is available here: http://www.annexia.org/tmp/mod_caml-1.0.6.tar.gz (about 74K) Rich. ---------------------------------------------------------------------- From: http://www.merjis.com/developers/mod_caml/ What is mod_caml? mod_caml is a set of Objective CAML (OCaml) bindings for the Apache API. It allows you to run CGI scripts written in OCaml directly inside the Apache webserver. However, it is much much more than just that: * Bind to any part of the Apache request cycle. * Read and modify internal Apache structures. * Share modules of code between handlers and scripts. * CGI library and templating system (allows separation of code and presentation). * Works with Apache 1.3 and Apache 2.0. * DBI library for simple database access. * DBI library can use Perl DBDs (database drivers) [requires Perl4Caml >= 0.3.6] ---------------------------------------------------------------------- diff -u -r1.11 dbi_postgres.ml --- dbi_postgres.ml 23 Nov 2003 14:24:57 -0000 1.11 +++ dbi_postgres.ml 15 Jan 2004 13:34:04 -0000 @@ -42,11 +42,16 @@ (* Damn. [Postgres] module doesn't export the PQescapeString function, so * I've had to write it myself. *) -let escape_string s = - String.concat "" [ "'"; - (Pcre.replace ~pat:"'" ~templ:"''" s); - "'" ] +let escape_string = + let re1 = Pcre.regexp "'" in (* Double up any single quotes. *) + let sub1 = Pcre.subst "''" in + let re2 = Pcre.regexp "\\\\" in (* Double up any backslashes. *) + let sub2 = Pcre.subst "\\\\" in + fun s -> + let s = Pcre.replace ~rex:re1 ~itempl:sub1 s in + let s = Pcre.replace ~rex:re2 ~itempl:sub2 s in + "'" ^ s ^ "'" (* Surround with quotes. *) (* PCRE regular expressions for parsing timestamps and intervals. *) let re_timestamp = ---------------------------------------------------------------------- -- Richard Jones. http://www.annexia.org/ http://freshmeat.net/users/rwmj Merjis Ltd. http://www.merjis.com/ - improving website return on investment MAKE+ is a sane replacement for GNU autoconf/automake. One script compiles, RPMs, pkgs etc. Linux, BSD, Solaris. http://www.annexia.org/freeware/makeplus/ ------------------- To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/ Beginner's list: http://groups.yahoo.com/group/ocaml_beginners