Quick Links

Re: [PATCH] oauth: Prevent stack overflow by limiting JSON parse depth

From:	Aleksander Alekseev <aleksander(at)timescale(dot)com>
To:	PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Cc:	Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
Subject:	Re: [PATCH] oauth: Prevent stack overflow by limiting JSON parse depth
Date:	2025-05-08 12:22:35
Message-ID:	CAJ7c6TO_MwMnpuw3+dub+Gif7c2tkS90YjHbyR+tmzpSP_ooXw@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Hi Jacob,

> I forgot to put a recursion limit in the new OAuth parsers; the
> server-side depth checks don't apply to the client, and it's not using
> the incremental parser to move the burden from the stack to the heap.
> Luckily, we track the nesting level already, so a fix (attached) can
> be pretty small.
>
> [...]

Thanks for the patch. It looks good to me. It's well documented and
covered with tests. I can confirm that the tests pass. Also they fail
if I decrease the $nesting_limit value to 15.

--
Best regards,
Aleksander Alekseev

In response to

[PATCH] oauth: Prevent stack overflow by limiting JSON parse depth at 2025-05-07 18:13:24 from Jacob Champion

Responses

Re: [PATCH] oauth: Prevent stack overflow by limiting JSON parse depth at 2025-05-08 15:45:04 from Jacob Champion

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Noboru Saito	2025-05-08 12:31:33	Re: [PATCH] Fix <literal> tags in func.sgml
Previous Message	Aleksander Alekseev	2025-05-08 12:20:49	Re: Valgrind - showing memory leaks?