app_config
app_config copied to clipboard
Bug: Allow ' in the values in the postgres backend (sqli)
Seeing this: https://github.com/Oshuma/app_config/blob/6148df46ac6a2a7be047bebac61b40db988d051c/lib/app_config/storage/postgres.rb#L48-L56
I know end-user input is not expected to be stored in a configuration backend, but the code as it stands is classic SQL injection.
This might be relevant: http://deveiate.org/code/pg/PG/Connection.html#method-c-escape_string