From: | Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org> |
---|---|
To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Cc: | voronaam(at)gmail(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org |
Subject: | Re: BUG #18510: jsonpath does not support trailing backslash at the end of the query |
Date: | 2024-06-18 09:33:25 |
Message-ID: | 202406180933.az7sf7jc74ny@alvherre.pgsql |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On 2024-Jun-14, David G. Johnston wrote:
> It is working just fine. It sees both the regex and the backslash
> character and then helpfully tells you that the regex you wrote is
> bogus since the backslash you wrote isn't escaping anything.
Not really connected to this bug, but I think we should get rid of the
error that says that the end backslashes are useless. If that error
wasn't there, we would be one step closer to being able to mark the
operator for LIKE as leakproof. Right now, if you mark that operator as
leakproof and use it in a security barrier view, attackers can leak
entire strings by testing with that operator for each character one at a
time.
=# select * from secret where data like substring(data, 1, 7) escape 'r';
ERROR: LIKE pattern must not end with escape character
Here I verify that the character number 7 is an 'r'.
So this one error is the sole reason we have to mark the LIKE operator
as leaky, which is sad.
--
Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/
"Just treat us the way you want to be treated + some extra allowance
for ignorance." (Michael Brusser)
From | Date | Subject | |
---|---|---|---|
Next Message | Muralikrishna Bandaru | 2024-06-18 11:32:37 | Re: BUG #18513: PG17 build on windows generates postgres.exe.lib instead of postgres.lib |
Previous Message | Floris Van Nee | 2024-06-18 09:19:41 | error cache lookup failed in plpgsql function |