help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Printf and quoting in general, SQL injection in particular [was: Ema


From: Jean Louis
Subject: Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way]
Date: Tue, 22 Jun 2021 03:47:04 +0300
User-agent: Mutt/2.0.7+183 (3d24855) (2021-05-28)

* Emanuel Berg via Users list for the GNU Emacs text editor 
<help-gnu-emacs@gnu.org> [2021-06-22 03:32]:
> Jean Louis wrote:
> 
> > I agree on that. But we cannot possibly expect all possible
> > dangers to be known by all possible programmers at all times
> > especially on this mailing list
> 
> OK, so the SQL injection is a common attack vector, but what
> should we call this issue?

It is probably lack of database administration skills. It is nothing
related to Emacs really. There is nothing special to SQL then to any
other kind of user's input. In fact, PostgreSQL and MySQL or MariaDB
are rather safe databases. If user does not have permission to DROP
tables or do something malicious, then it does not have it, finished
there. One can try it, but it will not work.

On the other hand injecting simple malicious Emacs Lisp anywhere in
any file is as a possible option omni-present on Internet, and we
don't even speak about that.

Thousands of users are blindly accepting programs from MELPA or any
kind of ELPA without knowing what is going to happen with the
data. And then we worry about possible SQL injections in Emacs Lisp. I
just wonder how and where SQL injection. Is it maybe by malicious
staff members versed in PostgreSQL? Or maybe Emacs Lisp running some
sensitive data online (without backup) being exposed to online
crackers trying to cheat the code and DROP some tables or do other bad
stuff? It is so unlikely to take place.

Bounty is US $10 from my side if somebody succeeds to SQL inject in my
software a DROP of a table.


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]