[Opensource] Double Entries in SQL-Injection filters
Michael Rimov
rimovm at centercomp.com
Thu Dec 12 19:37:24 PST 2002
Larry and all,
I did some investigation as to why the core.db.EscapeFilters were not
properly processing double-input such as \\ or "", etc.
I finally figured out what was going on, so I wanted to explain it:
The XSS (Cross Site Scripting) Filters were originally designed with the
specification that:
Filter(Filter(x)) == Filter(x)
So what I mean by that is:
Filter(&) == &
but
Filter(&) == &
So what is happening with double backslashes is that the filter system
thinks that the double backslash is already filtered. Since a single
backslash is translated into a double backslash.
It is a one line fix to make it work for the SQL Injection Filters: Change
calls to Filter, to the lower level Filter Tree (Which only does dumb
matching and doesn't try to figure out if something is already filtered).
My question is can anybody see this move breaking anything?? I don't see
any strings getting processed twice on the way to getting written to the
database, but I wanted to doublecheck if anybody sees something I don't.
Thanks in advance!
-Mike
More information about the Opensource
mailing list