[Bugs] [Bug 1319740] Tiering is not resistant to SQL-injection

bugzilla at redhat.com bugzilla at redhat.com
Tue Mar 22 06:09:31 UTC 2016 

https://bugzilla.redhat.com/show_bug.cgi?id=1319740



--- Comment #6 from Dan Lambright <dlambrig at redhat.com> ---
Per command history, the experiment yesterday did not include the quotes ""
around $FILENAME. This seems to have inserted a partial file name, but I do not
observe additional SQL commands executed and the table dropped. If you do add
the quotes, the entire string is inserted. 

In the test case you need to cd to $M0.

Let us know if tier_sql_injection.t can reproduce a problem.

$ FILENAME='filename-before-sql-injection; DROP TABLE GF_FILE_TB; DROP TABLE
GF_FLINK_TB; COMMIT;'

$ touch /mnt/"${FILENAME}"

$ echo "select * from gf_flink_tb;" | sqlite3 /home/t4/.glusterfs/t4.db

ad837931-3359-4788-b571-4688471bdf4b|00000000-0000-0000-0000-00000000001|filename-before-sql-injection;
DROP TABLE GF_FILE_TB; DROP TABLE GF_FLINK_TB; COMMIT;|0|0

$ stat /mnt/"${FILENAME}"
  File: ‘/mnt/filename-before-sql-injection; DROP TABLE GF_FILE_TB; DROP TABLE
GF_FLINK_TB; COMMIT;’
  Size: 0               Blocks: 0          IO Block: 131072 regular empty file
Device: 27h/39d Inode: 13074308744355766091  Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:fusefs_t:s0
Access: 2016-03-22 01:39:26.462364000 -0400
Modify: 2016-03-22 01:39:26.462364000 -0400
Change: 2016-03-22 01:39:26.463364174 -0400
 Birth: -
[root at rhs-cli-01 rhs-glusterfs]# echo $?
0

try without quotes

$ touch /mnt/$FILENAME

$ echo "select * from gf_flink_tb;" | sqlite3 /home/t3/.glusterfs/t3.db
806f3d74-fb51-43d2-aef1-7c5a84fa5d2a|00000000-0000-0000-0000-000000000001|filename-before-sql-injection;|0|0

[root at rhs-cli-01 rhs-glusterfs]# ls -l /mnt
total 0
-rw-r--r--. 1 root root 0 Mar 22 01:45 filename-before-sql-injection;
-rw-r--r--. 1 root root 0 Mar 22 01:41 'filename-before-sql-injection; DROP
TABLE GF_FILE_TB; DROP TABLE GF_FLINK_TB; COMMIT;'

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list