| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
| Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Christophe Pettus <xof(at)thebuild(dot)com>, "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: lower() and unaccent() not leakproof |
| Date: | 2021-08-26 15:46:14 |
| Message-ID: | 2322C77D-2B8B-4C7E-965F-C4F20F21F8EE@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> On 26 Aug 2021, at 16:59, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> wrote:
> On 26.08.21 10:40, Daniel Gustafsson wrote:
>> Wouldn’t the difference in possible error messages in upper/lower be able to
>> leak whether the input is ascii or wide chars, and/or the collation?
>
> Yeah, but there aren't any error messages that relate to the argument string, if you look through the code. There isn't any "could not find lower case equivalent of %s" or anything like that.
Correct. My reading of "It reveals no information about its arguments other
than by its return value” was that errormessages indicating different code-
paths based on argument structure weren't allowed. That might have been a bit
too lawyery interpretation though.
--
Daniel Gustafsson https://vmware.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | hubert depesz lubaczewski | 2021-08-26 16:06:44 | Re: Can we get rid of repeated queries from pg_dump? |
| Previous Message | Peter Eisentraut | 2021-08-26 15:06:23 | Re: lower() and unaccent() not leakproof |