On 2002-03-26 at 22:35 +0100, Phil Pennock wrote:
> The question is, how much is
> stripped off by ${local_part: ?
Well, since the LHS can be wrapped in double-quotes and contain
whitespace ... it doesn't even _need_ to contain @anything.
> What happens if someone with an account not authorised for mail supplies
> $1 as something like:
>
> BadUser' or AuthMail = 'N
"' or userID = 'BadUser' or AuthMail = '"@???
${local_part: will return the LHS of that quite happily. As I say, you
don't even need the @example.org here.
Thanks to precedence, that boolean OR makes the first test for
->AuthMail = "Y"<- irrelevant.
CREATE TABLE users ( AuthMail CHAR(1), userID CHAR(64), passwd CHAR(13) );
INSERT INTO users VALUES ('N', 'Badman', 'wEZJCovcA7zFo');
INSERT INTO users VALUES ('Y', 'Fred', 'sx4p8ql4RO/.U');
SELECT passwd FROM users WHERE AuthMail = "Y" and userID = '"' \
or userID = 'Badman' or AuthMail = '"';
Yep, that returns the string "wEZJCovcA7zFo" as a password.
You definitely need the ${quote_mysql:....} in there.
--
Never underestimate the power of stupid people in large groups.
