From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net> |
Subject: | Re: Leakproofness of texteq()/textne() |
Date: | 2019-09-12 20:56:06 |
Message-ID: | CA+TgmoYZLXvO5JuuAZmFLG+YEtu_KnXzFn_NCsk0rn=1baroqg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Sep 12, 2019 at 1:38 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> In any case, from a purely theoretical viewpoint, such an error message
> *does* constitute a leak of information about the input strings. Whether
> it's a usable leak is very debatable, but that's basically what we've
> got to decide.
I'm pretty content to ignore information leaks that can only happen if
the database is corrupt anyway. If that's moving the goalposts at
all, it's about a quarter-inch. I mean, a slightly differently
corrupted varlena would could crash the database entirely.
I wouldn't feel comfortable with ignoring information leaks that can
happen with some valid strings but not others. That sounds like
exactly the sort of information leak that we must prevent. The user
can write arbitrary stuff in their query, potentially transforming
strings so that the result hits the ERROR iff the original string had
some arbitrary property P for which they wish to test. Allowing that
sounds no different than deciding that int4div is leakproof, which it
sure isn't.
However, I wonder if there's any realistic case outside of an encoding
conversion where such failures can occur. I would expect, perhaps
naively, that the set of characters that can be represented by UTF-16
is the same set as can be represented by UTF-8.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2019-09-12 21:19:29 | Re: Leakproofness of texteq()/textne() |
Previous Message | Robert Haas | 2019-09-12 20:42:46 | abort-time portal cleanup |