Skip site navigation (1) Skip section navigation (2)

Re: Security hole in 8.1.3 with respect to invalidly-encoded

From: Markus Schaber <schabi(at)logix-tt(dot)com>
To: Bernd Kappler <Bernd(dot)Kappler(at)genedata(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: Security hole in 8.1.3 with respect to invalidly-encoded
Date: 2006-05-29 07:54:35
Message-ID: 447AA8BB.5080700@logix-tt.com (view raw or flat)
Thread:
Lists: pgsql-jdbc
Hi, Bernd,

Bernd Kappler wrote:

> we are using the postgresql jdbc driver build version 404 in conjunction with 
> postgresql 8.1.3. Could you please tell me, if this combination is safe with 
> respect to the security hole described in 
> 
> http://www.postgresql.org/docs/techdocs.50
> 
> I guess so - but better safe than sorry :-)

The pgsql-jdbc driver uses the 16-bit java encoding internally, and the
jvm-provided UTF8-encoder. Usually, the JVMs do not accept invalidly
encoded strings on input, and will not generate invalid ones on output,
so you should be save, if java is the only way for hostile people to
access the database.

I'm not shure what happens if you insane enough to use bytea and casting
inside the database, however, as this bypasses the JVM encodings, you'll
need to update your backend in this case.

HTH,
Markus
-- 
Markus Schaber | Logical Tracking&Tracing International AG
Dipl. Inf.     | Software Development GIS

Fight against software patents in EU! www.ffii.org www.nosoftwarepatents.org

In response to

pgsql-jdbc by date

Next:From: Marc HerbertDate: 2006-05-29 10:24:56
Subject: java UTF8 etc. (Re: Upgrading driver from 7.4 to 8.1)
Previous:From: Bernd KapplerDate: 2006-05-29 06:31:42
Subject: Security hole in 8.1.3 with respect to invalidly-encoded multibyte characters

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group