| From: | Markus Schaber <schabi(at)logix-tt(dot)com> |
|---|---|
| To: | Bernd Kappler <Bernd(dot)Kappler(at)genedata(dot)com> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: Security hole in 8.1.3 with respect to invalidly-encoded |
| Date: | 2006-05-29 07:54:35 |
| Message-ID: | 447AA8BB.5080700@logix-tt.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Hi, Bernd,
Bernd Kappler wrote:
> we are using the postgresql jdbc driver build version 404 in conjunction with
> postgresql 8.1.3. Could you please tell me, if this combination is safe with
> respect to the security hole described in
>
> http://www.postgresql.org/docs/techdocs.50
>
> I guess so - but better safe than sorry :-)
The pgsql-jdbc driver uses the 16-bit java encoding internally, and the
jvm-provided UTF8-encoder. Usually, the JVMs do not accept invalidly
encoded strings on input, and will not generate invalid ones on output,
so you should be save, if java is the only way for hostile people to
access the database.
I'm not shure what happens if you insane enough to use bytea and casting
inside the database, however, as this bypasses the JVM encodings, you'll
need to update your backend in this case.
HTH,
Markus
--
Markus Schaber | Logical Tracking&Tracing International AG
Dipl. Inf. | Software Development GIS
Fight against software patents in EU! www.ffii.org www.nosoftwarepatents.org
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marc Herbert | 2006-05-29 10:24:56 | java UTF8 etc. (Re: Upgrading driver from 7.4 to 8.1) |
| Previous Message | Bernd Kappler | 2006-05-29 06:31:42 | Security hole in 8.1.3 with respect to invalidly-encoded multibyte characters |