2010/5/19 Mike Fowler <m...@mlfowler.com>: > Pavel Stehule wrote: >> >> see google: lateral sql injection oracle NLS_DATE_FORMAT >> >> I would to like this functionality too - and technically I don't see a >> problem - It's less than 100 lines, but I don't need a new security >> problem. So my proposal is change nothing on this integrated >> functionality and add new custom date type - like cdate that can be >> customized via GUC. >> >> Regards >> Pavel > > OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From > the way I read this, the exploit relies on adjusting the NLS_DATE_FORMAT to > an arbitrary string which is then used for the attack, To me this is easy to > code against, simply lock the date format right down and ensure that it is > always controlled. IMHO I don't see an Oracle specific attack as a reason > why we can't have a generic format. Surely we can learn from this known > vulnerability and get another one up on Oracle?
I am not a security expert - you can simply don't allow apostrophe, double quotes - but I am not sure, if this can be safe - simply - I am abe to write this patch, but I am not able to ensure security. Regards Pavel > > Thanks, > > -- > Mike Fowler > Registered Linux user: 379787 > > "I could be a genius if I just put my mind to it, and I, > I could do anything, if only I could get 'round to it" > -PULP 'Glory Days' > > -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
