Version française
Home     About     Download     Resources     Contact us    
Browse thread
[Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: -- (:)
From: Richard Jones <rich@a...>
Subject: [Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch
A security problem has been found in mod_caml 1.0.5 and earlier which
could lead to a SQL insertion attack on PostgreSQL databases.
mod_caml normally escapes strings before inserting them into
PostgreSQL queries.  However a bug was found in this escaping
function.  This would allow attackers to craft arbitrary SQL commands
to run against the database.

This is fixed in version 1.0.6, along with some other minor bugfixes,
or you can apply the source patch at the end of this message.

Because savannah.nongnu.org continues to be partially unavailable,
version 1.0.6 is available here:

http://www.annexia.org/tmp/mod_caml-1.0.6.tar.gz (about 74K)

Rich.

----------------------------------------------------------------------

From: http://www.merjis.com/developers/mod_caml/

What is mod_caml?

mod_caml is a set of Objective CAML (OCaml) bindings for the Apache
API. It allows you to run CGI scripts written in OCaml directly inside
the Apache webserver. However, it is much much more than just that:

    * Bind to any part of the Apache request cycle.
    * Read and modify internal Apache structures.
    * Share modules of code between handlers and scripts.
    * CGI library and templating system (allows separation of
      code and presentation).
    * Works with Apache 1.3 and Apache 2.0.
    * DBI library for simple database access.
    * DBI library can use Perl DBDs (database drivers) [requires
      Perl4Caml >= 0.3.6]

----------------------------------------------------------------------
diff -u -r1.11 dbi_postgres.ml
--- dbi_postgres.ml	23 Nov 2003 14:24:57 -0000	1.11
+++ dbi_postgres.ml	15 Jan 2004 13:34:04 -0000
@@ -42,11 +42,16 @@
 (* Damn. [Postgres] module doesn't export the PQescapeString function, so
  * I've had to write it myself.
  *)
-let escape_string s =
-  String.concat "" [ "'";
-		     (Pcre.replace ~pat:"'" ~templ:"''" s);
-		     "'" ]
+let escape_string =
+  let re1 = Pcre.regexp "'" in		(* Double up any single quotes. *)
+  let sub1 = Pcre.subst "''" in
+  let re2 = Pcre.regexp "\\\\" in	(* Double up any backslashes. *)
+  let sub2 = Pcre.subst "\\\\" in
+  fun s ->
+    let s = Pcre.replace ~rex:re1 ~itempl:sub1 s in
+    let s = Pcre.replace ~rex:re2 ~itempl:sub2 s in
+    "'" ^ s ^ "'"			(* Surround with quotes. *)
 
 (* PCRE regular expressions for parsing timestamps and intervals. *)
 let re_timestamp =
----------------------------------------------------------------------

-- 
Richard Jones. http://www.annexia.org/ http://freshmeat.net/users/rwmj
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
MAKE+ is a sane replacement for GNU autoconf/automake. One script compiles,
RPMs, pkgs etc. Linux, BSD, Solaris. http://www.annexia.org/freeware/makeplus/

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners