| From: | Florian Weimer <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE> |
|---|---|
| To: | Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| Date: | 2002-08-12 13:51:35 |
| Message-ID: | 8765yg2niw.fsf@CERT.Uni-Stuttgart.DE |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> writes:
>> Yes, but if you just check that the date given by the user matches the
>> regular expression "[0-9]+-[0-9]+-[0-9]+", it's still possible to
>> crash the backend.
> Anyone who is using that regular expression in an attempt to validate a
> user supplied date is already in trouble.
I don't understand why extremely strict syntax checks are necessary.
The database has to parse it again anyway, and if you can't rely on
the database to get this simple parsing right, will it store your
data? Such a reasoning doesn't seem to be too far-fetched to me
I would probably impose a length limit in the frontend that uses the
database, but the PostgreSQL documentation does not state that this is
a requirement (because the parsers in the backend are so fragile).
--
Florian Weimer Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gavin Sherry | 2002-08-12 14:15:01 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| Previous Message | Florian Weimer | 2002-08-12 13:48:10 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Copeland | 2002-08-12 14:00:17 | Re: OOP real life example (was Re: Why is MySQL more |
| Previous Message | Florian Weimer | 2002-08-12 13:48:10 | Re: [SECURITY] DoS attack on backend possible (was: Re: |