| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | Kenneth Downs <ken(at)secdat(dot)com> |
| Cc: | pgsql general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Paypal and "going root" |
| Date: | 2007-05-18 12:40:15 |
| Message-ID: | 464D9EAF.3050402@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Kenneth Downs wrote:
> Richard Huxton wrote:
>> Kenneth Downs wrote:
>>> The last one left that I have is the sticky issue of a paypal IPN
>>> transaction coming in. I believe it applies generally to financial
>>> transactions. The user is sent by our application to the Paypal
>>> site. When they pay, paypal sends a POST with various information
>>> that we need. The user does not see this, it is behind the scenes.
>>> The POST request must run as an anonymous user because I have no
>>> state whatsoever. But the request must also commit financial data.
>>> This creates a vulnerability, at least in theory.
>>
>> Well, your POST will be authenticating as some sort of PG user,
>> presumably. Give it its own account and make sure the only permissions
>> it has is to insert into the paypal_rcpt table (or call a function
>> that does it for you). Obviously it will only connect from the
>> webserver(s) and only from the apache user account (or IIS/whatever).
>> So, you can use the ~/.pgpass password file to keep that password
>> protected.
>>
> I think this is the answer that I need. This goes to the heart of how
> the user connects to PG. The key concept that I'm taking away from your
> answer is that instead of connecting as a powerful user, connect as a
> severely limited user who can do only one thing: make that insert. The
> rest should be conducted from there.
Ah, that's exactly what I was trying to say. Apologies if I phrased it
badly, but you seem to have the gist anyway.
> I can put some rules on the receipts table that require the row to
> contain various hashes and verification codes obtained from the invoice
> table, and the user who inserts to this table must have no ability to
> read any other table in the system, so they cannot obtain the codes by
> any means. In converse, I believe normal users should not be able to
> read or write this table, it would be completely invisible to your
> average Joe.
You might want to allow inserts and have a "validated" flag that you can
check. Failing that, make sure you log the values on a failed insert -
always useful to have an audit trail if there are problems.
--
Richard Huxton
Archonet Ltd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Lew | 2007-05-18 12:43:41 | Re: hi |
| Previous Message | Alexi Gen | 2007-05-18 12:39:50 | Location of \pgsql\src\test\regress\readme. |