- edited description
semicolon injection for a password passed to create_engine() on pyodbc
Issue #3762
resolved
also adodbapi, even though this dialect doesn't work
from urllib import quote
from sqlalchemy.engine import url
pw = "aaa;PORT=50001"
u = url.make_url('somedb://db2inst1:%s@192.168.99.100/test' % quote(pw))
from sqlalchemy.connectors import pyodbc
from sqlalchemy.dialects.mssql import adodbapi
d = pyodbc.PyODBCConnector()
print d.create_connect_args(u)
u = url.make_url('somedb://@192.168.99.100/test?user=db2inst1:&password=%s' % quote(pw))
d = adodbapi.MSDialect_adodbapi()
print d.create_connect_args(u)
produces:
[['Server=192.168.99.100;Database=test;UID=db2inst1;PWD=aaa;PORT=50001'], {}]
[['Provider=SQLOLEDB;Data Source=None;Initial Catalog=None;User Id=db2inst1:;Password=aaa;PORT=50001'], {}]
Comments (3)
-
reporter
-
reporter
- changed status to resolved
Quote URL tokens with semicolons for pyodbc, adodbapi
Fixed bug in pyodbc dialect (as well as in the mostly non-working adodbapi dialect) whereby a semicolon present in the password or username fields could be interpreted as a separator for another token; the values are now quoted when semicolons are present.
Change-Id: I5f99fd8db53ebf8e805e7d9d60bc09b8f1af603f Fixes:
#3762→ <<cset 5fba7db9be7a>>
-
reporter
Quote URL tokens with semicolons for pyodbc, adodbapi
Fixed bug in pyodbc dialect (as well as in the mostly non-working adodbapi dialect) whereby a semicolon present in the password or username fields could be interpreted as a separator for another token; the values are now quoted when semicolons are present.
Change-Id: I5f99fd8db53ebf8e805e7d9d60bc09b8f1af603f Fixes:
#3762→ <<cset f4ffd058ce5c>>
- Log in to comment
