Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encoding of IO lists is unsafe (missing escaping) #182

Open
maximedenes opened this issue Nov 20, 2016 · 1 comment
Open

Encoding of IO lists is unsafe (missing escaping) #182

maximedenes opened this issue Nov 20, 2016 · 1 comment

Comments

@maximedenes
Copy link

Queries executed with IO list arguments are not correctly escaped, leading to possible code injections:

emysql:execute(mypool, <<"SELECT * FROM foo WHERE id = ?">>, [["te'st"]]).

I believe the culprit is in emysql_conn.erl:

encode(Val, binary) when is_list(Val) ->
    list_to_binary(quote(Val));

if Val is an iolist, quote will have no effect and list_to_binary will happily construct an unescaped (binary) string.
@qingchuwudi qingchuwudi mentioned this issue Nov 3, 2017
Closed
@maximedenes
Copy link
Author

Having such a critical vulnerability unaddressed for more than three years is probably a sign that a strong disclaimer should be added to the landing page, advising against using this package in production.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maximedenes