Re: [SECURITY] DoS attack on backend possible (was: Re:

From: ngpg(at)grymmjack(dot)com
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: [SECURITY] DoS attack on backend possible (was: Re:
Date: 2002-08-12 18:46:58
Message-ID: Xns92689613B30159wn7t0983uom3iu23n@64.49.215.80
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers pgsql-hackers

Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE (Florian Weimer) wrote in
news:8765yg2niw(dot)fsf(at)CERT(dot)Uni-Stuttgart(dot)DE:

> Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> writes:
>
>>> Yes, but if you just check that the date given by the user matches the
>>> regular expression "[0-9]+-[0-9]+-[0-9]+", it's still possible to
>>> crash the backend.
>
>> Anyone who is using that regular expression in an attempt to validate a
>> user supplied date is already in trouble.
>
> I don't understand why extremely strict syntax checks are necessary.
> The database has to parse it again anyway, and if you can't rely on
> the database to get this simple parsing right, will it store your
> data? Such a reasoning doesn't seem to be too far-fetched to me

I believe this is often referred to as the layered onion approach of
security, besides that what constitutes extremely strict syntax checking is
somewhat subjective. What about checking the input for backslash, quote,
and double quote (\'")? If you are not taking care of those in input then
crashing the backend is going to be the least of your worries. I think
there needs to be some level of checking before the input is blindly passed
to the backend for parsing. Typically the input for an individual field
wouldnt be more than ~255 characters, unless you are dealing with TEXT or
lo's. I dont consider adding a length check to the usual \'" check to be
extreme... but perhaps just as necssary?

In response to

Responses

Browse pgsql-committers by date

  From Date Subject
Next Message Gerhard Hintermayer 2002-08-12 19:56:22 Re: [INTERFACES] libpgtcl modifications
Previous Message Tom Lane 2002-08-12 15:24:07 pgsql-server/src/port qsort.c

Browse pgsql-hackers by date

  From Date Subject
Next Message Marc G. Fournier 2002-08-12 19:44:12 Re: libpqxx
Previous Message Oliver Elphick 2002-08-12 17:46:14 Re: OOP real life example (was Re: Why is MySQL more