From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Peter Geoghegan <pg(at)heroku(dot)com> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Noah Misch <noah(at)leadboat(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: jsonb, unicode escapes and escaped backslashes |
Date: | 2015-01-30 06:04:06 |
Message-ID: | 1739.1422597846@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Peter Geoghegan <pg(at)heroku(dot)com> writes:
> I looked into it, and it turns out that MongoDB does not accept NUL in
> at least some contexts (for object keys). Apparently it wasn't always
> so. MongoDB previously had a security issue that was fixed by
> introducing this restriction. Their JSON-centric equivalent of
> per-column privileges was for a time compromised, because "NUL
> injection" was possible:
> https://www.idontplaydarts.com/2011/02/mongodb-null-byte-injection-attacks/
> It's easy to bash MongoDB, but this is still an interesting data
> point. They changed this after the fact, and yet I can find no
> evidence of any grumbling about it from end users. No one really
> noticed.
Hoo, that's interesting. Lends some support to my half-baked idea that
we might disallow NUL in object keys even if we are able to allow it
elsewhere in JSON strings.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2015-01-30 06:10:46 | Re: Safe memory allocation functions |
Previous Message | Peter Geoghegan | 2015-01-30 05:37:15 | Re: jsonb, unicode escapes and escaped backslashes |