Skip site navigation (1) Skip section navigation (2)

Re: question about security hole CVE-2006-2313 and UTF-8

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Albe Laurenz" <all(at)adv(dot)magwien(dot)gv(dot)at>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: question about security hole CVE-2006-2313 and UTF-8
Date: 2006-05-29 16:01:09
Message-ID: 14708.1148918469@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
"Albe Laurenz" <all(at)adv(dot)magwien(dot)gv(dot)at> writes:
> It seems to me that UTF-8 databases are safe.

IIRC we determined that using UTF8 *on both the client and server sides*
is safe.  You can get burnt with combinations such as server_encoding =
UTF8 and client_encoding = SJIS (exposing PQescapeString's naivete),
or with client_encoding = UTF8 and server_encoding = anything else
(exposing the server's weak validity checking during conversion).

			regards, tom lane

In response to

pgsql-hackers by date

Next:From: ipigDate: 2006-05-29 16:10:34
Subject: Re: some question about deadlock
Previous:From: Tom LaneDate: 2006-05-29 15:51:38
Subject: Re: some question about deadlock

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group