app_config icon indicating copy to clipboard operation
app_config copied to clipboard
verified publisher icon Oshuma

Bug: Allow ' in the values in the postgres backend (sqli)

Open rud opened this issue 11 years ago • 4 comments

Seeing this: https://github.com/Oshuma/app_config/blob/6148df46ac6a2a7be047bebac61b40db988d051c/lib/app_config/storage/postgres.rb#L48-L56

I know end-user input is not expected to be stored in a configuration backend, but the code as it stands is classic SQL injection.

This might be relevant: http://deveiate.org/code/pg/PG/Connection.html#method-c-escape_string

rud avatar Sep 30 '14 09:09 rud

Oh hey, http://deveiate.org/code/pg/PG/Connection.html#method-i-exec_params is even easier to use, should you be so inclined.

Feel free to close if irrelevant.

rud avatar Sep 30 '14 09:09 rud

@rud I can imagine a system where app_config is used to store per-user config (ie, config values accepted from end users), so this could potentially be an issue. I'll investigate when I get some spare time. Thanks for submitting the issue!

Oshuma avatar Sep 30 '14 16:09 Oshuma

You're most welcome

rud avatar Oct 01 '14 08:10 rud

Welp, this is still open a year later. I know, life happens :cake: :v:

rud avatar Oct 23 '15 10:10 rud