|
From: | Laurent Destailleur (eldy) |
Subject: | Re: [Dolibarr-dev] Vulnerabilities |
Date: | Sun, 20 Oct 2013 15:56:13 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 |
Le 18/10/2013 17:02, Doursenaud,
Raphaël a écrit :
This is a wrong affirmation. There is two level of sanitazing. - first one is when receiving parameters. For this one, it is correct that sanitazing is not complete. But we don't want this first level to be complete and it is not possible (for example if user what to submit an example of sql script into a comment or a mailing list, he should be able). So it is true this level of protection is not complete, but it is not goal of this first level, protection is guaranted by second level, and report let think we tried to make things secured with first level. No, security is guaranted by the second level and only second level (because it is possible to do so compmletely only with second level). - second level is when forging sql request, html output or command line strings. It is the level that make things completely secured. For this case, there are functions that exists to make complete sanitazing: * for html output, function is dol_escape_htmltag * for _javascript_ output, function is dol_escape_js * for sql forging, function is db->escape * from script, function is escape_shell May be at specific place of code, calling those functions were forgotten, but saying sanitizing function are not fixed is wrong since this function are not bugged (the report just was speaking about first level). There is no need to use parametrized queries. This will not change anything, we will still need to use escape function according to the way data is used (html, _javascript_, sql or command line string). So we must just be sure that we are using the sanitizing function when we should.
-- Eldy (Laurent Destailleur). EMail: address@hidden Web: http://www.destailleur.fr Dolibarr (Project leader): http://www.dolibarr.org To make a donation for Dolibarr project via Paypal: address@hidden AWStats (Author) : http://awstats.sourceforge.net To make a donation for AWStats project via Paypal: address@hidden AWBot (Author) : http://awbot.sourceforge.net CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net |
[Prev in Thread] | Current Thread | [Next in Thread] |