[DB-SIG] mysql module embeds params in command string

Carl Karsten carl at personnelware.com
Thu Jul 18 15:38:24 CEST 2013


I feel I need to post this now and then in hopes I find someone who
can do something about it.  This might even be worth some PSF funding?

I am not a security expert, I am not qualified to asses the risk, it
doesn't matter if I consider this a vulnerability.  That said, I know
it is a problem that should be fixed.

 query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
 self._query(query)

http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185

Yes: the mysql python module that everyone uses does string
substitution to combine the command and parameters into a command with
embedded constants.

I opened a bug against it years ago.  I looked at fixing it, but that
lead me into coercing python values into whatever the mysql client lib
does, and that is not something I should be doing.


-- 
Carl K


More information about the DB-SIG mailing list