[DB-SIG] mysql module embeds params in command string
carl at personnelware.com
Thu Jul 18 15:38:24 CEST 2013
I feel I need to post this now and then in hopes I find someone who
can do something about it. This might even be worth some PSF funding?
I am not a security expert, I am not qualified to asses the risk, it
doesn't matter if I consider this a vulnerability. That said, I know
it is a problem that should be fixed.
query = query % tuple(( get_codec(a, self.encoders)(db, a) for a in args )
Yes: the mysql python module that everyone uses does string
substitution to combine the command and parameters into a command with
I opened a bug against it years ago. I looked at fixing it, but that
lead me into coercing python values into whatever the mysql client lib
does, and that is not something I should be doing.
More information about the DB-SIG