On Thu, Sep 12, 2019 at 1:38 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > In any case, from a purely theoretical viewpoint, such an error message > *does* constitute a leak of information about the input strings. Whether > it's a usable leak is very debatable, but that's basically what we've > got to decide.
I'm pretty content to ignore information leaks that can only happen if the database is corrupt anyway. If that's moving the goalposts at all, it's about a quarter-inch. I mean, a slightly differently corrupted varlena would could crash the database entirely. I wouldn't feel comfortable with ignoring information leaks that can happen with some valid strings but not others. That sounds like exactly the sort of information leak that we must prevent. The user can write arbitrary stuff in their query, potentially transforming strings so that the result hits the ERROR iff the original string had some arbitrary property P for which they wish to test. Allowing that sounds no different than deciding that int4div is leakproof, which it sure isn't. However, I wonder if there's any realistic case outside of an encoding conversion where such failures can occur. I would expect, perhaps naively, that the set of characters that can be represented by UTF-16 is the same set as can be represented by UTF-8. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
