| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] PQescapeIdentifier |
| Date: | 2006-06-27 01:39:57 |
| Message-ID: | 1129.1151372397@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
Bruce Momjian <bruce(at)momjian(dot)us> writes:
> Tom Lane wrote:
>> Have either of you inquired into the encoding-safety of this code?
>> It certainly looks like no consideration was given for that.
> I thought of that but I assume we were not accepting user-supplied
> identifiers for this --- that this was only for application use. Am I
> wrong?
By definition, an escaping routine is not supposed to trust the data it
is handed. We *will* be seeing a CVE report if this function has got
any escaping vulnerability.
If you insist on a practical example, I can certainly imagine someone
thinking it'd be cool to allow searches on a user-selected column, and
implementing that by passing the user-given column name straight into
the query with only PQescapeIdentifier for safety.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christopher Kings-Lynne | 2006-06-27 02:40:25 | Re: GIN index creation extremely slow ? |
| Previous Message | Bruce Momjian | 2006-06-27 01:34:37 | Re: [HACKERS] PQescapeIdentifier |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Hiroshi Saito | 2006-06-27 02:23:33 | pg_backup_tar.c seems anerror by win32 |
| Previous Message | Bruce Momjian | 2006-06-27 01:34:37 | Re: [HACKERS] PQescapeIdentifier |