osmo-msc[master]: db: wrap dbi querying to log actual SQL on debug and error

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Wed Dec 6 13:03:55 UTC 2017


Patch Set 1:

(1 comment)

https://gerrit.osmocom.org/#/c/5205/1/src/libmsc/db.c
File src/libmsc/db.c:

Line 197: dbi_result queryf(dbi_conn conn, const char *format, ...)
> That's just SQL injection waiting to happen. Too bad libdbi does not suppor
Our invocation of libdbi has always worked like this, and libdbi is only here for legacy reasons. We won't spend more time than strictly necessary on dbi now. I needed this to figure out what was going on during two recent error reports, but we're not going to refactor the way dbi works at this point. When calling those dbi quoting functions, presumably code injection is thwarted. Related: https://osmocom.org/issues/1591 -- It looks like we would even rather implement a separate SMSC instead of revamping this to use sqlite directly.


-- 
To view, visit https://gerrit.osmocom.org/5205
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I4171dad8ffffbf634a75dedde752d82c51ff7803
Gerrit-PatchSet: 1
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Max <msuraev at sysmocom.de>
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-HasComments: Yes



More information about the gerrit-log mailing list