| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Jim Jones <jim(dot)jones(at)uni-muenster(dot)de>, PostgreSQL-development <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: libxml2 author overwhelmed with security requests |
| Date: | 2025-06-19 20:59:38 |
| Message-ID: | CAFj8pRCJkXgpi=f7hmmkOfCrc4EKdWfOTbR3xdsjfi6YEem+sg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
čt 19. 6. 2025 v 22:09 odesílatel Bruce Momjian <bruce(at)momjian(dot)us> napsal:
> On Thu, Jun 19, 2025 at 09:24:32PM +0200, Jim Jones wrote:
> > On 19.06.25 03:41, Bruce Momjian wrote:
> > > This blog post explains the serious problems the single libxml2 author
> > > is having in maintaining the library:
> > >
> > >
> https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports
> > >
> > > There are few learnings from this:
> > >
> > > * libxml2 is even less production-ready than we thought
> > > * many projects don't have the resources we do
> > >
> >
> > That's even worse than I thought. Especially this disclaimer
> consideration:
> >
> > “This is open-source software written by hobbyists, maintained by a
> > single volunteer, badly tested, written in a memory-unsafe language and
> > full of security bugs. It is foolish to use this software to process
> > untrusted data.”
> >
> > No wonder other major databases opt for writing their own XML processing
> > engines. Sadly, despite these issues, there doesn't seem to be a decent
> > alternative to libxml2 :(
>
> I think our solution to making Postgres more secure would be to just
> remove XML support --- we aleady have the inclusion of libxml options at
> configure time. I don't think there is community support to be
> developing an XML library --- some Postgres companies might feel
> differently, but that is not the community's concern.
>
Own implementation of SQL/XML generating functions like XMLFOREST or
XMLELEMENT should not be too
difficult. Significantly more difficult problem is parsing of XML (more
with namespaces), although some basic
support for XMLTABLE should not be too hard too.
Libxml2 is very complex due it supports a lot of API, a lot of redundant
API - SAX, DOM, DTD, ...
But we use only a few percent of functionality from libxml2.
Isn't possible to call Rust code from C? Then maybe there are some
possibility from Rust world
https://github.com/ballsteve/xrust
Regards
Pavel
> --
> Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
> EDB https://enterprisedb.com
>
> Do not let urgent matters crowd out time for investment in the future.
>
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-06-19 21:12:06 | Re: libxml2 author overwhelmed with security requests |
| Previous Message | Arseniy Mukhin | 2025-06-19 20:33:55 | Re: [PATCH] pg_bsd_indent: improve formatting of multiline comments |