Re: question about security hole CVE-2006-2313 and UTF-8

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Albe Laurenz" <all(at)adv(dot)magwien(dot)gv(dot)at>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: question about security hole CVE-2006-2313 and UTF-8
Date: 2006-05-29 16:01:09
Message-ID: 14708.1148918469@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

"Albe Laurenz" <all(at)adv(dot)magwien(dot)gv(dot)at> writes:
> It seems to me that UTF-8 databases are safe.

IIRC we determined that using UTF8 *on both the client and server sides*
is safe. You can get burnt with combinations such as server_encoding =
UTF8 and client_encoding = SJIS (exposing PQescapeString's naivete),
or with client_encoding = UTF8 and server_encoding = anything else
(exposing the server's weak validity checking during conversion).

regards, tom lane

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message ipig 2006-05-29 16:10:34 Re: some question about deadlock
Previous Message Tom Lane 2006-05-29 15:51:38 Re: some question about deadlock