Tryton - Issues

 

Issue8270

Title Wrong DSN construction
Priority urgent Status resolved
Superseder Nosy List ced, reviewbot, roundup-bot
Type crash Components trytond
Assigned To ced Keywords review
Reviews 269321002
View: 269321002

Created on 2019-04-10.10:09:55 by ced, last changed by roundup-bot.

Messages
New changeset 410a48a732a3 by Cédric Krier in branch '5.0':
Replace dsn by params to connect to postgresql
https://hg.tryton.org/trytond/rev/410a48a732a3

New changeset 5e0629dbc137 by Cédric Krier in branch '4.8':
Replace dsn by params to connect to postgresql
https://hg.tryton.org/trytond/rev/5e0629dbc137

New changeset e07943bc461d by Cédric Krier in branch '4.6':
Replace dsn by params to connect to postgresql
https://hg.tryton.org/trytond/rev/e07943bc461d

New changeset 3a7c4b0a0da6 by Cédric Krier in branch '4.4':
Replace dsn by params to connect to postgresql
https://hg.tryton.org/trytond/rev/3a7c4b0a0da6
New changeset e2dd05c4e988 by Cédric Krier in branch 'default':
Replace dsn by params to connect to postgresql
https://hg.tryton.org/tryton-env/rev/e2dd05c4e988
New changeset f1ee858677a7 by Cédric Krier in branch 'default':
Replace dsn by params to connect to postgresql
https://hg.tryton.org/trytond/rev/f1ee858677a7
msg49026 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-04-15.00:28:45
I'm a little worry of the lack of reaction on this issue. I really would like to push this in the next bugfix release as we do not know if it could be an attack vector.
review269321002 updated at https://codereview.tryton.org/269321002/#ps281371002
msg48790 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-04-10.10:12:39
Here is review269321002 which replace dsn by params to let psycopg2 escape the parameters.
msg48789 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-04-10.10:09:55
The DSN construction does not escape dbname. As the dbname comes from the request, it could contain anything (space, other attributes).
I do not thing it can be used as vector for an attack because psycopg2 validate the dsn by parsing it. So I did not report it as a security issue. But I think it should be fixed in all supported version ASAP.
History
Date User Action Args
2019-04-16 22:29:19roundup-botsetmessages: + msg49080
2019-04-15 15:57:18roundup-botsetmessages: + msg49045
2019-04-15 15:57:10roundup-botsetstatus: testing -> resolved
nosy: + roundup-bot
messages: + msg49043
2019-04-15 00:28:45cedsetmessages: + msg49026
2019-04-10 10:16:20reviewbotsetnosy: + reviewbot
messages: + msg48792
2019-04-10 10:12:40cedsetstatus: in-progress -> testing
reviews: 269321002
messages: + msg48790
keyword: + review
2019-04-10 10:09:55cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)