Skip to content
Permalink
Browse files

Introduce a blacklisting feature.

Do not send certain queries to the database. Modify the query to be
invalid instead.
  • Loading branch information
i0rek committed Aug 27, 2013
1 parent 2c1cb7f commit e911be84a1539dc2aa6212cf2e04554bd42e9391
Showing with 27 additions and 0 deletions.
  1. +1 −0 Makefile
  2. +8 −0 usual/blacklisting.c
  3. +10 −0 usual/blacklisting.h
  4. +8 −0 usual/safeio.c
@@ -42,6 +42,7 @@ libusual_a_SOURCES = usual/config.h.in \
usual/heap.h usual/heap.c \
usual/list.h usual/list.c \
usual/logging.h usual/logging.c \
usual/blacklisting.h usual/blacklisting.c \
usual/mbuf.h usual/mbuf.c \
usual/mdict.h usual/mdict.c \
usual/mempool.h usual/mempool.c \
@@ -0,0 +1,8 @@
#include <usual/blacklisting.h>

int cf_blacklist = 0;

int blacklisting(void)
{
return cf_blacklist;
}
@@ -0,0 +1,10 @@
#ifndef _USUAL_BLACKLISTING_H_
#define _USUAL_BLACKLISTING_H_

#include <usual/base.h>

extern int cf_blacklist;

int blacklisting(void);

#endif
@@ -25,6 +25,7 @@

#include <usual/socket.h>
#include <usual/logging.h>
#include <usual/blacklisting.h>
#include <usual/string.h>
#include <usual/time.h>

@@ -69,6 +70,13 @@ int safe_send(int fd, const void *buf, int len, int flags)
int res;
char ebuf[128];
loop:
if (blacklisting()) {
if (memcmp(((char *)buf) + 5, "SELECT COUNT(*) FROM", 20) == 0) {
log_info("Canceling query: '%s'", ((char *)buf) + 5);
memcpy(((char *)buf) + 5, "SELECT 1 FROM 1337;--", 21);

This comment has been minimized.

Copy link
@RumataEstor

RumataEstor Jan 28, 2020

What if the original query was exactly 20 characters? This will overwrite the terminating \0, which may result in application memory (imagine some sensitive data) be passed through to the database as a query, which may be logged or passed back to the application, eventually revealing that sensitive information.

This comment has been minimized.

Copy link
@RumataEstor

RumataEstor Jan 28, 2020

I noticed len below. Then that 21st character will actually overwrite the data located right after the buffer which may result in "nobody knows what was overwritten and what breaks after".

}
}

res = send(fd, buf, len, flags);
if (res < 0 && errno == EINTR)
goto loop;

0 comments on commit e911be8

Please sign in to comment.
You can’t perform that action at this time.