[DB-SIG] mysql module embeds params in command string
Carl Karsten
carl at personnelware.com
Thu Jul 18 15:38:24 CEST 2013
I feel I need to post this now and then in hopes I find someone who
can do something about it. This might even be worth some PSF funding?
I am not a security expert, I am not qualified to asses the risk, it
doesn't matter if I consider this a vulnerability. That said, I know
it is a problem that should be fixed.
query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
self._query(query)
http://sourceforge.net/p/mysql-python/mysqldb-2/ci/default/tree/MySQLdb/cursors.py#l185
Yes: the mysql python module that everyone uses does string
substitution to combine the command and parameters into a command with
embedded constants.
I opened a bug against it years ago. I looked at fixing it, but that
lead me into coercing python values into whatever the mysql client lib
does, and that is not something I should be doing.
--
Carl K
More information about the DB-SIG
mailing list