| From: | Florian Weimer <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| Date: | 2002-08-12 08:19:19 |
| Message-ID: | 878z3c4hh4.fsf@CERT.Uni-Stuttgart.DE |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> Justin Clift <justin(at)postgresql(dot)org> writes:
>> Am I understanding this right:
>> - A PostgreSQL 7.2.1 server can be crashed if it gets passed certain
>> date values which would be accepted by standard "front end" parsing?
>
> AFAIK it's a buffer overrun issue, so anything that looks like a
> reasonable date would *not* cause the problem.
Yes, but if you just check that the date given by the user matches the
regular expression "[0-9]+-[0-9]+-[0-9]+", it's still possible to
crash the backend.
--
Florian Weimer Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Florian Weimer | 2002-08-12 08:23:29 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| Previous Message | Mike Mascari | 2002-08-12 07:17:56 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Florian Weimer | 2002-08-12 08:23:29 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| Previous Message | Curt Sampson | 2002-08-12 08:14:02 | Re: OOP real life example (was Re: Why is MySQL more chosen |