From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
---|---|
To: | Mike Fowler <mike(at)mlfowler(dot)com> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, Ben Hockey <neonstalwart(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: ecmascript 5 DATESTYLE |
Date: | 2010-05-19 10:43:12 |
Message-ID: | AANLkTikzu6EbiFzo914EG_K7ew6V0ZWhicaJIT3feG0b@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
2010/5/19 Mike Fowler <mike(at)mlfowler(dot)com>:
> Pavel Stehule wrote:
>>
>> 2010/5/19 Mike Fowler <mike(at)mlfowler(dot)com>:
>>
>>>
>>> Pavel Stehule wrote:
>>>
>>>>
>>>> see google: lateral sql injection oracle NLS_DATE_FORMAT
>>>>
>>>> I would to like this functionality too - and technically I don't see a
>>>> problem - It's less than 100 lines, but I don't need a new security
>>>> problem. So my proposal is change nothing on this integrated
>>>> functionality and add new custom date type - like cdate that can be
>>>> customized via GUC.
>>>>
>>>> Regards
>>>> Pavel
>>>>
>>>
>>> OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From
>>> the way I read this, the exploit relies on adjusting the NLS_DATE_FORMAT
>>> to
>>> an arbitrary string which is then used for the attack, To me this is easy
>>> to
>>> code against, simply lock the date format right down and ensure that it
>>> is
>>> always controlled. IMHO I don't see an Oracle specific attack as a reason
>>> why we can't have a generic format. Surely we can learn from this known
>>> vulnerability and get another one up on Oracle?
>>>
>>
>> I am not a security expert - you can simply don't allow apostrophe,
>> double quotes - but I am not sure, if this can be safe - simply - I am
>> abe to write this patch, but I am not able to ensure security.
>>
>> Regards
>> Pavel
>>
>
> Well you've rightly identified a potential security hole, so my
> recommendation would be to put the patch together bearing in mind the Oracle
> vulnerability. Once you've submitted the patch it can be reviewed and we can
> ensure that you've managed to steer clear of introducing the same/similar
> vulnerability into postgres.
>
> Am I right in thinking that you're now proposing to do the generic patch
> that Robert Haas and I prefer?
I'll look on code and I'll see
Pavel
>
> Thanks,
>
> --
> Mike Fowler
> Registered Linux user: 379787
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Fujii Masao | 2010-05-19 10:53:27 | Re: Synchronous replication patch built on SR |
Previous Message | Mike Fowler | 2010-05-19 10:37:04 | Re: ecmascript 5 DATESTYLE |