Skip site navigation (1) Skip section navigation (2)

Re: prevent invalidly encoded input

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: "Patches (PostgreSQL)" <pgsql-patches(at)postgresql(dot)org>
Subject: Re: prevent invalidly encoded input
Date: 2007-09-11 18:06:09
Message-ID: 15042.1189533969@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-patches
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> Attached is a patch to the scanner and the COPY code that checks for 
> invalidly encoded data that can currently leak into our system via \ 
> escapes in quoted literals or text mode copy fields, as recently 
> discussed. That would still leave holes via chr(), convert() and 
> possibly other functions, but these two paths are the biggest holes that 
> need plugging.

The COPY code looks sane.  On the scan.l change, I believe two out of
three of those calls are useless, because we do not do backslash
processing in dollar-quoted strings nor in quoted identifiers.
Also, I'd kinda like to have the check-for-high-bit optimization in
scan.l too --- some people do throw big literals at the thing.

			regards, tom lane

In response to

Responses

pgsql-patches by date

Next:From: Heikki LinnakangasDate: 2007-09-11 18:21:18
Subject: Re: pgsql: Remove QueryOperand->istrue flag, it was used only in cover
Previous:From: Bruce MomjianDate: 2007-09-11 17:37:30
Subject: pgsql: Stamp releases 8.2.5, 8.1.10, 8.0.14, 7.4.18, 7.3.20.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group