| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] PQescapeIdentifier |
| Date: | 2006-06-27 02:49:30 |
| Message-ID: | 200606270249.k5R2nUw08664@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > Tom Lane wrote:
> >> Have either of you inquired into the encoding-safety of this code?
> >> It certainly looks like no consideration was given for that.
>
> > I thought of that but I assume we were not accepting user-supplied
> > identifiers for this --- that this was only for application use. Am I
> > wrong?
>
> By definition, an escaping routine is not supposed to trust the data it
> is handed. We *will* be seeing a CVE report if this function has got
> any escaping vulnerability.
>
> If you insist on a practical example, I can certainly imagine someone
> thinking it'd be cool to allow searches on a user-selected column, and
> implementing that by passing the user-given column name straight into
> the query with only PQescapeIdentifier for safety.
OK, does someone want to fix it, or should I revert it?
--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim C. Nasby | 2006-06-27 03:03:19 | Re: vacuum, performance, and MVCC |
| Previous Message | Christopher Kings-Lynne | 2006-06-27 02:43:24 | Re: [HACKERS] PQescapeIdentifier |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2006-06-27 02:56:52 | Re: pg_backup_tar.c seems anerror by win32 |
| Previous Message | Christopher Kings-Lynne | 2006-06-27 02:43:24 | Re: [HACKERS] PQescapeIdentifier |