[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] TracMonotone
|
From: |
Nathaniel Smith |
|
Subject: |
Re: [Monotone-devel] TracMonotone |
|
Date: |
Wed, 26 Apr 2006 14:44:34 -0700 |
|
User-agent: |
Mutt/1.5.11 |
On Wed, Apr 26, 2006 at 10:54:02AM +0200, Thomas Moschny wrote:
> using their hex-id, or via a tag or branch name, and later via Monotone
> selectors, too.
Just to let people know, the problem with monotone selectors is not
that Thomas is lazy and hasn't implemented support on the trac side,
but that we're lazy and haven't fixed the SQL injection attacks that
selectors are currently prone to :-).
Almost everywhere in monotone we use prepared statements, which are
basically immune to SQL injection issues. However, the selector
code does some wacky dynamic-generation-of-SQL stuff, without taking
any care to quoting. Therefore you can write selectors like
mtn -r "b:foo'; DELETE FROM some_table;"
to achieve some... unpleasant effects. (At least in theory. I
haven't tried that particular line.)
This hasn't been super high priority, because selectors are only
accessible from the command line, so it doesn't matter if they're
insecure. But exposing them through a web interface would change that
dramatically :-).
So, if anyone wants to help out with the trac support, this would be
one good target.
-- Nathaniel
--
"But suppose I am not willing to claim that. For in fact pianos
are heavy, and very few persons can carry a piano all by themselves."