ActiveRecord + Postgres + \000 = BOOM

We’ve been seeing some queries against our Rails website which include
the “\000” character in some string params. I don’t know if these are
malicious or not, but Postgres does not like them at all, and
ActiveRecord does not help us by escaping this character.

It’s easy to repro:

$ script/console

Account.find_by_name("\000")
ActiveRecord::StatementInvalid: PGError: ERROR: unterminated quoted
string at or near “’” at character 50
: SELECT * FROM accounts WHERE (accounts.“login” = ‘’ ) LIMIT 1

It seems that somewhere in the chain, either ActiveRecord or the
Postgres connection code should either strip or escape the \000
character.

This is pretty difficult problem to google against, but it seems
unlikely we’re the only ones with this issue. Anyone?

We’re on Edge Rails revision 4798 and PostgreSQL 8.1.6.

Thanks,
Robin

[email protected] wrote:

We’re on Edge Rails revision 4798 and PostgreSQL 8.1.6.

Thanks,
Robin

not much help but it’s known as a “poison null byte” iirc - used for sql
injection

unfortunately postgresql uses c-strings, and therefore treats binary
nulls in a “c way”. They could avoid it but haven’t done it so far as
far as I know…

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs