Re: possible design bug with PQescapeString()

From: Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp>
To: andrew(at)supernews(dot)com
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: possible design bug with PQescapeString()
Date: 2006-02-28 01:14:33
Message-ID: 20060228.101433.28783203.t-ishii@sraoss.co.jp
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

FYI

I have sent an email to cores to ask if I am OK to bring another but
closely related to this issue to open discussions, whose details have
already been sent to them. The reason why I'm asking is, if this issue
could be open, then the issue might be open too and that makes
discussions easier.

At this point, I get no response from them so far.
--
Tatsuo Ishii
SRA OSS, Inc. Japan

> Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> writes:
> > I guess I understand whay you are saying. However, I am not allowed to
> > talk to you about it unless cores allow me. Probably we need some
> > closed forum to discuss this kind of security issues.
>
> Considering that you've already described the problem on pgsql-hackers,
> I hardly see how further discussion is going to create a bigger security
> breach than already exists.
>
> (I'm of the opinion that the problem is mostly a client problem anyway;
> AFAICS the issue only comes up if client software fails to consider
> encoding issues while doing escaping. There is certainly no way that
> we can magically solve the problem in a new PG release, and so trying
> to keep it quiet until we can work out a solution seems pointless.)
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend
>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message James William Pye 2006-02-28 01:48:21 Re: Scanning for insert
Previous Message Bruce Momjian 2006-02-28 01:14:10 Re: wal sync method