[COLUG] Postgres / Python
Aaron Howard
archanoid at gmail.com
Mon Jun 23 18:54:53 EDT 2008
It's not necessarily the existing stored procedures being exploited
that's the problem. If an attacker suspects python support he can
attempt various SQL injection techniques that could potentially create
new stored procedures that could do all kinds of damage.
No matter what db when doing web work that uses a db make sure to
scrub all user input to avoid SQL injection woes.
On 6/23/08, Mark Erbaugh <mark at microenh.com> wrote:
> A recent post here triggered a question I'd been meaning to ask.
>
> While the gist of the post was that you shouldn't use stored procedures,
> I noticed that you can write Postgres stored procedures using Python,
> but that Python is considered 'untrusted'. I believe this is because
> Python has no restricted execution model so code written in Python can
> access anything that the Postgres daemon can. Thus, I can see a
> potential security issue, hence untrusted.
>
> My question is how much of a security hole is this in a production
> application? If the Postgres server has Python support, but only
> executes pre-written Python stored procedures and those stored
> procedures never execute any user-supplied code, can this still be used
> to gain unwanted access to the server?
>
> Mark
>
> _______________________________________________
> colug432 mailing list colug432 at colug.net
> http://www.colug.net/mailman/listinfo/colug432
>
--
==
Aaron Howard
archanoid at gmail.com
More information about the colug432
mailing list