Skip site navigation (1) Skip section navigation (2)

Re: possible design bug with PQescapeString()

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp>
Cc: andrew(at)supernews(dot)com, pgsql-hackers(at)postgresql(dot)org
Subject: Re: possible design bug with PQescapeString()
Date: 2006-02-26 23:13:35
Message-ID: 25086.1140995615@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> writes:
> I guess I understand whay you are saying. However, I am not allowed to
> talk to you about it unless cores allow me. Probably we need some
> closed forum to discuss this kind of security issues.

Considering that you've already described the problem on pgsql-hackers,
I hardly see how further discussion is going to create a bigger security
breach than already exists.

(I'm of the opinion that the problem is mostly a client problem anyway;
AFAICS the issue only comes up if client software fails to consider
encoding issues while doing escaping.  There is certainly no way that
we can magically solve the problem in a new PG release, and so trying
to keep it quiet until we can work out a solution seems pointless.)

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2006-02-27 00:26:19
Subject: Re: Scrollable cursors and Sort performance
Previous:From: Luke LonerganDate: 2006-02-26 23:01:19
Subject: Re: TOAST compression

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group