Re: [Sqlgrey-users] RELEASE: 1.4.0, security bugfix

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

HaJo Schatz wrote the following on 12/13/04 12:47 :

>On Sat, 2004-12-11 at 02:27, Lionel Bouton wrote:
>  
>
>>Hi,
>>
>>1.4.0 is released on sourceforge. There was a window left for SQL 
>>injection that was reported this morning, it is fixed in this version.
>>    
>>
>
>Appears good. A few thoughts though:
>
>- Shouldn't sqlgrey be placed in /usr/sbin rather than /usr/bin?
>  
>

Makes sense to me.

>- Ever thought of a "live update" of the whitelists rather than
>supplying them with the source/rpm. Ie sqlgrey in say weekly intervals
>loading them from sqlgrey.sf.net?
>  
>

Nice idea. I don't want to bloat SQLgrey with the download code (I'm 
already worried by its size and what it will be like with SPF support), 
but I sure can add a hook to make it reload the main whitelists on a 
SIGHUP for example. Then it's only a matter of a simple script that will 
fetch the download URLs from the conf file, download the whitelists, 
make some simple checks, replace the whitelist files and send SIGHUP to 
sqlgrey.
I don't think distributing them from sourceforge is acceptable by 
sourceforge policy, but I can setup an alternate distribution server (in 
fact Gentoo users can install SQLgrey from the sources on my server 
already).

>- Is /var/sqlgrey really necessary? Wouldn't it be enough to start
>sqlgrey in /tmp?
>  
>

For MySQL and PostgreSQL users, /var/sqlgrey isn't needed at all. But 
SQLite users need a working directory for the database. The RPM can't 
guess which database will be used. As the answer really isn't obvious, 
I'll add this to the FAQ.

Best regards,

Lionel.