From: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
---|---|
To: | andrew(at)supernews(dot)com |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: possible design bug with PQescapeString() |
Date: | 2006-02-28 01:14:33 |
Message-ID: | 20060228.101433.28783203.t-ishii@sraoss.co.jp |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
FYI
I have sent an email to cores to ask if I am OK to bring another but
closely related to this issue to open discussions, whose details have
already been sent to them. The reason why I'm asking is, if this issue
could be open, then the issue might be open too and that makes
discussions easier.
At this point, I get no response from them so far.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
> Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> writes:
> > I guess I understand whay you are saying. However, I am not allowed to
> > talk to you about it unless cores allow me. Probably we need some
> > closed forum to discuss this kind of security issues.
>
> Considering that you've already described the problem on pgsql-hackers,
> I hardly see how further discussion is going to create a bigger security
> breach than already exists.
>
> (I'm of the opinion that the problem is mostly a client problem anyway;
> AFAICS the issue only comes up if client software fails to consider
> encoding issues while doing escaping. There is certainly no way that
> we can magically solve the problem in a new PG release, and so trying
> to keep it quiet until we can work out a solution seems pointless.)
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend
>
From | Date | Subject | |
---|---|---|---|
Next Message | James William Pye | 2006-02-28 01:48:21 | Re: Scanning for insert |
Previous Message | Bruce Momjian | 2006-02-28 01:14:10 | Re: wal sync method |