From: | "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> |
---|---|
To: | "Gavin Sherry" <swm(at)linuxworld(dot)com(dot)au>, "Florian Weimer" <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE> |
Cc: | <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [SECURITY] DoS attack on backend possible (was: Re: |
Date: | 2002-08-12 14:23:53 |
Message-ID: | D85C66DA59BA044EB96AB9683819CF61015172@dogbert.vale-housing.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> -----Original Message-----
> From: Gavin Sherry [mailto:swm(at)linuxworld(dot)com(dot)au]
> Sent: 12 August 2002 15:15
> To: Florian Weimer
> Cc: pgsql-hackers(at)postgresql(dot)org
> Subject: Re: [HACKERS] [SECURITY] DoS attack on backend
> possible (was: Re:
>
>
> On Mon, 12 Aug 2002, Florian Weimer wrote:
>
> > Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> writes:
> >
> > >> Yes, but if you just check that the date given by the
> user matches
> > >> the regular expression "[0-9]+-[0-9]+-[0-9]+", it's
> still possible
> > >> to crash the backend.
> >
> > > Anyone who is using that regular expression in an attempt to
> > > validate a user supplied date is already in trouble.
> >
> > I don't understand why extremely strict syntax checks are
> necessary.
> > The database has to parse it again anyway, and if you can't rely on
> > the database to get this simple parsing right, will it store your
> > data? Such a reasoning doesn't seem to be too far-fetched to me
>
> Why attempt to validate the user data at all if you're going
> to do a bad job of it? Moreover, 'rely on the database to get
> this ... right': what kind of security principle is that? For
> someone interested in security, you've just broken the most
> important principle.
If I write code in a Microsoft product such as VB it will happily accept
timestamps such as '2001-12-23 22.15.01' which is a perfectly valid date
in some parts of the world. PostgreSQL will barf on the .'s - is it
expected then that I write my own validation/parsing code to replace
Microsoft's in this and every other area that may need checking just
because PostgreSQL doesn't understand a particular format? I would
rather let PostgreSQL alone know about it's oddities and just throw me
an error I can deal with in such cases.
Regards, Dave.
PS (Gavin). Thanks for the CREATE OR REPLACE's you recently submitted!
From | Date | Subject | |
---|---|---|---|
Next Message | Rod Taylor | 2002-08-12 14:24:24 | Re: Strange bahaviour |
Previous Message | Gavin Sherry | 2002-08-12 14:15:01 | Re: [SECURITY] DoS attack on backend possible (was: Re: |