ActiveRecord + Postgres + \000 = BOOM

We've been seeing some queries against our Rails website which include
the "\000" character in some string params. I don't know if these are
malicious or not, but Postgres does not like them at all, and
ActiveRecord does not help us by escaping this character.

It's easy to repro:

$ script/console

Account.find_by_name("\000")

ActiveRecord::StatementInvalid: PGError: ERROR: unterminated quoted
string at or near "'" at character 50
: SELECT * FROM accounts WHERE (accounts."login" = '' ) LIMIT 1

It seems that somewhere in the chain, either ActiveRecord or the
Postgres connection code should either strip or escape the \000
character.

This is pretty difficult problem to google against, but it seems
unlikely we're the only ones with this issue. Anyone?

We're on Edge Rails revision 4798 and PostgreSQL 8.1.6.

Thanks,
Robin

robinluckey@gmail.com wrote:

We've been seeing some queries against our Rails website which include
the "\000" character in some string params. I don't know if these are
malicious or not, but Postgres does not like them at all, and
ActiveRecord does not help us by escaping this character.

It's easy to repro:

$ script/console
  

Account.find_by_name("\000")
      

ActiveRecord::StatementInvalid: PGError: ERROR: unterminated quoted
string at or near "'" at character 50
: SELECT * FROM accounts WHERE (accounts."login" = '' ) LIMIT 1

It seems that somewhere in the chain, either ActiveRecord or the
Postgres connection code should either strip or escape the \000
character.

This is pretty difficult problem to google against, but it seems
unlikely we're the only ones with this issue. Anyone?

We're on Edge Rails revision 4798 and PostgreSQL 8.1.6.

Thanks,
Robin

>

not much help but it's known as a "poison null byte" iirc - used for sql
injection
<runs off to test setup/>