| From: | Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp> |
|---|---|
| To: | lyeoh(at)pop(dot)jaring(dot)my |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: a vulnerability in PostgreSQL |
| Date: | 2002-05-03 23:56:31 |
| Message-ID: | 20020504085631U.t-ishii@sra.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> > Oops. How about:
> >
> > foo'; DROP TABLE t1; -- foo
> >
> > The last ' gets removed, leaving -- (81a2).
> >
> > So you get:
> > select ... '(0x81a2)'; DROP TABLE t1; -- (0x81a2)
>
> This surely works:-< Ok, you gave me an enough example that shows even
> 7.1.x and 7.0.x are not safe.
>
> Included are patches for 7.1.3. Patches for 7.0.3 and 6.5.3 will be
> posted soon.
Included are patches for 7.0.3 and 6.5.3 I promised.
BTW,
>I hope you won't make this standard practice. Because there are quite
>significant differences that make upgrading from 7.1.x to 7.2 troublesome.
>I can't name them offhand but they've appeared on the list from time to time.
I tend to agree above but am not sure making backport patches are
core's job. I have been providing patches for PostgreSQL for years in
Japan, and people there seem to be welcome such kind of
services. However, supporting previous versions is not a trivial job
and I don't want core members to spend their valuable time for that
kind of job, since making backport patches could be done by anyone who
are familiar with PostgreSQL.
--
Tatsuo Ishii
| Attachment | Content-Type | Size |
|---|---|---|
| conv.c-7.0.3.patch | text/plain | 404 bytes |
| conv.c-6.5.3.patch | text/plain | 400 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2002-05-04 00:05:39 | Re: HEADS UP: Win32/OS2/BeOS native ports |
| Previous Message | Hiroshi Inoue | 2002-05-03 23:45:01 | Re: Using views and MS access via odbc |