| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
| Cc: | Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>, pgsql-hackers(at)postgresql(dot)org, Magnus Hagander <magnus(at)hagander(dot)net> |
| Subject: | Re: Replay attack of query cancel |
| Date: | 2008-08-17 01:46:08 |
| Message-ID: | 9644.1218937568@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> Andrew Gierth wrote:
>> 2. The server accepts either the old-style or the secure cancel
>> request from the client, but doesn't allow old-style requests
>> once a valid secure request has been seen.
> Hmm, I think there should be a way to turn off acceptance of old-style
> without necessarily requiring a new-style request. Otherwise, how are
> you protected from DoS if you have never sent a cancel request at all?
Assuming you were using SSL, it's hard to see how an attacker is going
to get your cancel key without having seen a cancel request.
However, I dislike Andrew's proposal above even without that issue,
because it means *still more* changeable state that has to be magically
shared between postmaster and backends. If we want to have a way for
people to disable insecure cancels, we should just have a postmaster
configuration parameter that does it.
Also, this whole proposal has gotten far past what I'd consider a
sanely back-patchable thing. Don't bother thinking about whether it
will go into pre-8.4 code.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Gierth | 2008-08-17 02:24:46 | Re: Replay attack of query cancel |
| Previous Message | Tom Lane | 2008-08-17 01:40:19 | Re: Patch: plan invalidation vs stored procedures |