| From: | David Terrell <dbt(at)meat(dot)net> |
|---|---|
| To: | Rod Taylor <rbt(at)zort(dot)ca> |
| Cc: | Giovanni Tummarello <tummarel(at)ascu(dot)unian(dot)it>, Hackers List <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Serious 7.2 issue (non quiet string truncation) |
| Date: | 2002-02-18 21:10:09 |
| Message-ID: | 20020218131009.C25084@pianosa.catch22.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Feb 18, 2002 at 03:28:15PM -0500, Rod Taylor wrote:
> Why can't you truncate the string yourself.
>
> Take atleast one of these actions:
>
> 1. Limit the forms themselves to the length in question:
> <input type="text" size="50" />
An attacker could circument this by not going through the webform.
While it's doubtful such an attack would cause an exploitable
condition in a language like PHP, it's still better to check
post-submission...
> 2. Use trim the string to length in the code (php below):
> $string = substr($string, 0, 50);
like this.
> 3. Have the INSERT truncate the string:
> INSERT INTO table (col1) VALUES (substring('valuetoinsert', 1, 5));
>
>
> Any of the above (or all of the above) will accomplish what you
> require. I personally suggest both 1 and 2. But 3 can be used if
> necessary.
1 and 2, as you say.
Otherwise some day you convert your code over to C and forget to
truncate, and you may be exploitable.
--
David Terrell | "Science is like sex: sometimes
dbt(at)meat(dot)net | something useful comes out, but
Nebcorp Prime Minister | that is not the reason we are
http://wwn.nebcorp.com/ | doing it" -- Richard Feynman
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Elphick | 2002-02-18 22:52:03 | Re: pg_ctl - tighten command parameter checking |
| Previous Message | Peter Eisentraut | 2002-02-18 20:41:25 | Re: Serious 7.2 issue (non quiet string truncation) |