On Saturday, March 27, 2021 at 10:31:58 AM UTC, Antoine Koener wrote:
Le lundi 15 mars 2021 à 18:57:25 UTC+1, K.S. Bhaskar a écrit :
On Monday, March 15, 2021 at 1:35:13 PM UTC-4, [email protected] wrote:
Over the last few weeks all M/Gateway Developments' language bindings, together with our SQL engine, have been updated to include direct access to database transaction processing functionality.
All products mentioned here will work with YottaDB and the InterSystems databases (Cache and IRIS). All language bindings offer a choice of high performance in-process access to a locally installed database via the API or to a local or remote
database via the network.
SQL: https://github.com/chrisemunt/mgsql
Node.js: https://github.com/chrisemunt/mg-dbx (https://www.npmjs.com/package/mg-dbx)
PHP: https://github.com/chrisemunt/mg_php
Python: https://github.com/chrisemunt/mg_python
Ruby: https://github.com/chrisemunt/mg_ruby
Go: https://github.com/chrisemunt/mg_go
Products listed are, of course, Open Source solutions. Enjoy!
Excellent news! Congratulations, Chris.
Regards
– Bhaskar
Excellent work !
I have quickly review the mg_python source code and found that "strcpy" is still in use. :-(
And looked a bit more and see that password or username are passed has is from the python code.
https://github.com/chrisemunt/mg_python/blob/5e29a542519667a99cf994e0dc19952c089bf6f6/src/mg_python.c#L341
https://github.com/chrisemunt/mg_python/blob/5e29a542519667a99cf994e0dc19952c089bf6f6/src/mg_dba.h#L1109
I've stopped there my review because I think that the code may be full of buffer overflows ...
I would suggest to check other libraries also for same vulnerabilities...
Anyway this is still excellent contribution to open source community...
Many thanks for taking a look at mg_python.
For the benefit of those not familiar with C programming, the use of the C string copy function - strcpy() - does not necessarily mean that the code is probably full of buffer overflows. The risk is not inherent in the use of this function (which,
incidentally is still part of the standard C library) per se, but in the way it is (mis)used. I appreciate that some software houses mandate that it should not be used but the alternatives come with their own problems. The cold reality is that there is
no standard replacement for this function - at least not one that's portable. To give some context: a quick scan of the PHP and Apache code base reveals that the developers of these products still use strcpy(), so we're in good company!
While these mg_* language bindings have only recently been released as Open Source products the core code on which they are built has actually been in production use for around 20 years and, as such, I believe we have already addressed most, if not all,
buffer overflow scenarios.
The username/password referred to in the review is related to the use of the API of the InterSystems products. It is up to the Python developers to decide how this password should be protected. mg_python does not involve itself with the security layer -
this is the responsibility of the developer.
Of course, should anyone find an actual buffer overrun in mg_python then feel free to identify the problem and submit the fix. This is an Open Source initiative!
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)