Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for June 20, 2013
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
However, as reflected in these minutes, that case does not apply to SQLninja. Other uses that are clearly not illegal were discussed, so why are they rejecting this package?
Fedora rejects SQLninja
Posted Nov 10, 2010 18:00 UTC (Wed) by JoeBuck (subscriber, #2330)
Posted Nov 10, 2010 18:29 UTC (Wed) by gus3 (guest, #61103)
If you need SQLninja to take over a system, odds are approaching 1 that you don't have access rights to it anyway.
Posted Nov 10, 2010 21:40 UTC (Wed) by ballombe (subscriber, #9523)
Posted Nov 11, 2010 7:40 UTC (Thu) by codefisher (guest, #64993)
Posted Nov 11, 2010 9:15 UTC (Thu) by dlang (✭ supporter ✭, #313)
once the tool no longer works, you may or may not have actually fixed the real problem, all that you know is that this particular tool no longer works.
if you have a problem with SQL injection, you don't need a 'takeover' tool to show you that, you just need a fuzzing tool and watch your database logs for strange errors.
if you do have a SQL injection vunerability, what you nee dto do is go back and look at your application design and howyou are doing input validation and how you are interacting with the database (sanitization of database query parameters, switching to prepared statements, etc) and fix the problem at a conceptual level, that way you not only defend against this particular tool, you also defend against the entire class of tools that send you bogus input in the hope that it breaks you.
If you have this in place and a fuzzing tool still shows problems, then you have a bug in your input validation code, which means it's time to go back and really review the code, not just twist knobs until you don't see the breakage anymore.
Posted Nov 11, 2010 16:21 UTC (Thu) by gidoca (subscriber, #62438)
Posted Nov 11, 2010 16:23 UTC (Thu) by gidoca (subscriber, #62438)
Posted Nov 12, 2010 19:22 UTC (Fri) by till (subscriber, #50712)
Posted Nov 11, 2010 13:16 UTC (Thu) by Trou.fr (subscriber, #26289)
Posted Nov 10, 2010 18:31 UTC (Wed) by jspaleta (subscriber, #50639)
A policy such as this needs to be balanced with some specific tests concerning likely or forseeable use to put some guidance in place for the packaging community and for future Boards members into the very subjective discretionary space this policy carves out.
This would be easier if the Fedora Board were a legally binding court of law in some jurisdiction. If they were the boards resulting policy statement would help clarify risks. But since they aren't this policy has to be viewed in the light of an ongoing risk-management conversation.
Posted Nov 11, 2010 9:14 UTC (Thu) by pcampe (guest, #28223)
The point is the definition of "illegal", because circumventing the censorship in Iran or China is illegal, and China is a major country (note that the rule is about "major jurisdictions" and not democracies, quite a big difference in the context).
According to this rule, we could devise a "Fedora China", with tor and many other packages stripped off: which is disgusting, really.
Posted Nov 11, 2010 13:40 UTC (Thu) by rahulsundaram (subscriber, #21946)
Posted Nov 11, 2010 14:07 UTC (Thu) by pcampe (guest, #28223)
Posted Nov 11, 2010 17:43 UTC (Thu) by rahulsundaram (subscriber, #21946)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds