Merge lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections into lp:openobject-server/7.0
Status: | Work in progress |
---|---|
Proposed branch: | lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections |
Merge into: | lp:openobject-server/7.0 |
Diff against target: |
26 lines (+9/-1) 1 file modified
openerp/sql_db.py (+9/-1) |
To merge this branch: | bzr merge lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
OpenERP Core Team | Pending | ||
Review via email: mp+164190@code.launchpad.net |
Description of the change
Proof of concept of database names sanitization at the connection pool level. This would have the side effect of preventing trivial exploits of PostgreSQL's CVE-2013-1899 vulnerability on unpatched systems.
This works by enforcing an arbitrary pattern for allowed database names: ^[\w][\w.-]+
This is unlikely to be merged in 7.0 as it would constitute a backwards-
We could consider merging this in trunk, but it would be much less useful to prevent the exploit. If we do that, we should also take into account the performance hit of the extra regex check (the regex check is performed *very often* - usually more than once per incoming request). DSNs should probably be cached - they really only need to be computed once.
Unmerged revisions
- 4976. By Olivier Dony (Odoo)
-
[FIX] sql_db: sanitize database names before connecting to them - prevents exploiting PostgreSQL CVE-2013-1899 vulnerability
The Database Manager screen enforces this pattern: ^[a-zA-
Z][a-zA- Z0-9_-] +$
so we are just a bit less restrictive and allow leading numbers and
underscores for manually created databases.