possible SQL injection into db APIs via table names... sqlite3

[illume]

BPO	11685
Nosy	@loewis, @merwok, @akheron

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2012-05-29.16:22:00.857>
created_at = <Date 2011-03-26.16:18:38.403>
labels = ['type-security']
title = 'possible SQL injection into db APIs via table names... sqlite3'
updated_at = <Date 2012-05-29.17:01:17.128>
user = 'https://bugs.python.org/illume'

bugs.python.org fields:

activity = <Date 2012-05-29.17:01:17.128>
actor = 'illume'
assignee = 'none'
closed = True
closed_date = <Date 2012-05-29.16:22:00.857>
closer = 'petri.lehtinen'
components = []
creation = <Date 2011-03-26.16:18:38.403>
creator = 'illume'
dependencies = []
files = []
hgrepos = []
issue_num = 11685
keywords = []
message_count = 11.0
messages = ['132247', '132249', '132251', '132255', '132256', '132257', '132293', '132374', '132426', '161896', '161903']
nosy_count = 4.0
nosy_names = ['loewis', 'illume', 'eric.araujo', 'petri.lehtinen']
pr_nums = []
priority = 'normal'
resolution = 'wont fix'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue11685'
versions = []

[illume]

Hi,

you can possibly do an SQL injection via table names (and maybe some other parts of queries). Tested with sqlite3, but maybe it affects others too.

You can not do parameter substitution for table names, so people use normal python string formatting instead.

If the table name comes from an untrusted source, then possibly an SQL injection could happen.

cheers,

[loewis]

Why do you think this is a bug in Python?

[illume]

Hello,

because the sqlite3 package comes with python.

[loewis]

But putting untrusted strings into the table name is a bug in the application, not in Python.

[illume]

The bug in python is that you can not use parameter substitution to put the table names into the queries. So people are forced to use string substitution instead.

[loewis]

Ah. That's not a limitation of Python, but a limitation of sqlite. See

http://www.sqlite.org/c3ref/bind_blob.html

for how parameter binding works. The table name is not supported as a parameter; neither are column names or database names.

So if you want this feature added, please request it from the sqlite developers; Python will then naturally inherit it. I'm skeptical that they are open to such a proposal, though, since it will be a massive change in SQL parsing.

[illume]

Hi,

aaah, ok.

It seems to require the use of a quote function. See http://www.sqlite.org/c3ref/mprintf.html

However python does not seem to expose the function? I don't see how you can write safe queries using python without it.

[merwok]

Aren’t you supposed to use the DB API to get safe queries?
http://docs.python.org/dev/library/sqlite3

[loewis]

Aren’t you supposed to use the DB API to get safe queries?
http://docs.python.org/dev/library/sqlite3

Yes, but the OP complains that the DB API doesn't support specification
of the table name from a parameter. So the DB API won't help here.

[akheron]

No SQL library that I know of provides a way to escape table names. The quoting functions are always meant to escape string parameters. This is true for sqlite3_mprintf(), too (the %q and %Q options).

If you build table names from user input, your database design is somehow flawed.

[illume]

Hi,

Here is an article with people trying to find a solution:
http://stackoverflow.com/questions/6514274/how-do-you-escape-strings-for-sqlite-table-column-names-in-python

"The psycopg2 documentation explicitly recommends using normal python % or {} formatting to substitute in table and column names."

Sqlalchemy uses a format_table method with their sql compiler to quote table names for sqlite.

It's probably just sane to either use SQLalchemy, use ctypes to get at the sqlite mprintf function, or perhaps look at the above stackoverflow article for more solutions.

There is python code out there vulnerable to attack, that doesn't quote table names correctly. Including at least one major python framework. Hopefully people who care will follow some of the above links.

cheers,