[Opensource] Re: Double Entries in SQL-Injection filters

larry hamel expresso at codeguild.com
Thu Dec 12 22:45:43 PST 2002 

hi Mike R.

ok, that makes sense.  thanks for the background info.

I'm assuming that we're just talking about Filters for SQL, not any change to the filters for XSS.

the core issue seems to be with repeated-char transformations, and the "divisible" nature of those strings.

since expresso has only 1 filtering/transformation location on the way to SQL output, I think we can tell the Filters not to worry about transforming "too much".  In other words, if the filter gets "''''", it is NOT because some filter in front of it has already escaped "''".  we are sure that the user has requested "''''" because there is only one filtering location.

the only problem I image is if a user actually intends to specify their *own* escaping, e.g. they type "blah''blah" thinking that they are escaping for mysql or others.  but in that case, the developer can just use a no-op ("raw") escape handler.

agree?

larry


At 07:37 PM 12/12/2002, you wrote:
>Larry and all,
>
>I did some investigation as to why the core.db.EscapeFilters were not properly processing double-input such as \\ or "", etc.
>
>I finally figured out what was going on, so I wanted to explain it:
>
>The XSS (Cross Site Scripting) Filters were originally designed with the specification that:
>        Filter(Filter(x)) == Filter(x)
>
>So what I mean by that is:
>        Filter(&) == &
>        but
>        Filter(&) == &
>
>So what is happening with double backslashes is that the filter system thinks that the double backslash is already filtered. Since a single backslash is translated into a double backslash.
>
>It is a one line fix to make it work for the SQL Injection Filters:  Change calls to Filter, to the lower level Filter Tree (Which only does dumb matching and doesn't try to figure out if something is already filtered).
>
>My question is can anybody see this move breaking anything??  I don't see any strings getting processed twice on the way to getting written to the database, but I wanted to doublecheck if anybody sees something I don't.
>
>Thanks in advance!
>                                                -Mike
>

More information about the Opensource mailing list