Re: a vulnerability in PostgreSQL

From: Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp>
To: pgman(at)candle(dot)pha(dot)pa(dot)us
Cc: lyeoh(at)pop(dot)jaring(dot)my, pgsql-hackers(at)postgresql(dot)org
Subject: Re: a vulnerability in PostgreSQL
Date: 2002-06-13 01:10:45
Message-ID: 20020613.101045.45157492.t-ishii@sra.co.jp
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> Do we need to do any more work to document this problem?

Better documetation will be welcome. However which document?
--
Tatsuo Ishii

> ---------------------------------------------------------------------------
>
> Tatsuo Ishii wrote:
> > > Oops. How about:
> > >
> > > foo'; DROP TABLE t1; -- foo
> > >
> > > The last ' gets removed, leaving -- (81a2).
> > >
> > > So you get:
> > > select ... '(0x81a2)'; DROP TABLE t1; -- (0x81a2)
> >
> > This surely works:-< Ok, you gave me an enough example that shows even
> > 7.1.x and 7.0.x are not safe.
> >
> > Included are patches for 7.1.3. Patches for 7.0.3 and 6.5.3 will be
> > posted soon.
>
> [ Attachment, skipping... ]
>
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 3: if posting/reading through Usenet, please send an appropriate
> > subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> > message can get through to the mailing list cleanly
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
> + If your life is a hard drive, | 830 Blythe Avenue
> + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Christopher Kings-Lynne 2002-06-13 01:47:43 Re: Feature request: Truncate table
Previous Message Larry Rosenman 2002-06-13 00:44:17 Re: Integrating libpqxx