[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security: Atom injection attacks
- To: Elliotte Harold <elharo@xxxxxxxxxxxxxxx>
- Subject: Re: Security: Atom injection attacks
- From: James M Snell <jasnell@xxxxxxxxx>
- Date: Sat, 10 Mar 2007 09:02:33 -0800
- Cc: Atom-Protocol Protocol <atom-protocol@xxxxxxx>
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=ZieNNr7zHts6ND/BkYBNQeZ7tsc6gUNydpUrsU/2QlL4JPDCh888oH/Kzx7ecTA3aj+UfckjryHQDDRySSd5AGcM/cs83vr/JQ9JhZ+pH2Qm6AQkoMF73E+OwRO+qp4KPNrkClwzIF09WE/8VGTy3Yo37qKObP0ILMQTujir8mw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=LE+0byUwu9ZxNt+OLsihwvtGDChesMIT/c2NcOxXRMonFSqo4A4eb0SEKiI6L1RkpylngQ2+g9157+JpvCFZ+EWcCpmrTukctp1aPaT6lmtTj1MuHxAC4qWPm1v8c7qE8C+jjtvs1jt7htTy9BlDsnoV8m/SNJdErwEyvh3tAK8=
- In-reply-to: <45F2E28E.6020603@xxxxxxxxxxxxxxx>
- List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
- List-id: <atom-protocol.imc.org>
- List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
- References: <45F2E28E.6020603@xxxxxxxxxxxxxxx>
- Sender: owner-atom-protocol@xxxxxxxxxxxx
- User-agent: Thunderbird 1.5.0.10 (X11/20070306)
So long as you're not suggesting that we need to solve the problem, +1.
Proposed language would be helpful :-D
- James
Elliotte Harold wrote:
>
> I think we need to consider the possibility of SQL and other injection
> attacks using APP as a vector and something to section 15 to cover this.
>
> A lot of APP servers and possibly some clients too will sit in top of
> SQL and XQuery databases. A lot of implementations are going to read the
> data out of the various elements, stuff it into a SQL statement using
> PHP string concatenation, and throw it at a database. And there's
> absolutely nothing in Atom to stop any of these fields from containing
> quotes, semicolons, brackets, and "DELETE * FROM CUSTOMERS"
>
> We don't need to solve this problem in APP, but I do think we need to
> acknowledge it, and warn implementers to be aware of it in the same way
> we warn implementers to be aware of much less serious problems like
> replay and spoofing attacks.
>