2010/5/19 Mike Fowler <m...@mlfowler.com>: > Pavel Stehule wrote: >> >> 2010/5/19 Mike Fowler <m...@mlfowler.com>: >> >>> >>> Pavel Stehule wrote: >>> >>>> >>>> see google: lateral sql injection oracle NLS_DATE_FORMAT >>>> >>>> I would to like this functionality too - and technically I don't see a >>>> problem - It's less than 100 lines, but I don't need a new security >>>> problem. So my proposal is change nothing on this integrated >>>> functionality and add new custom date type - like cdate that can be >>>> customized via GUC. >>>> >>>> Regards >>>> Pavel >>>> >>> >>> OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From >>> the way I read this, the exploit relies on adjusting the NLS_DATE_FORMAT >>> to >>> an arbitrary string which is then used for the attack, To me this is easy >>> to >>> code against, simply lock the date format right down and ensure that it >>> is >>> always controlled. IMHO I don't see an Oracle specific attack as a reason >>> why we can't have a generic format. Surely we can learn from this known >>> vulnerability and get another one up on Oracle? >>> >> >> I am not a security expert - you can simply don't allow apostrophe, >> double quotes - but I am not sure, if this can be safe - simply - I am >> abe to write this patch, but I am not able to ensure security. >> >> Regards >> Pavel >> > > Well you've rightly identified a potential security hole, so my > recommendation would be to put the patch together bearing in mind the Oracle > vulnerability. Once you've submitted the patch it can be reviewed and we can > ensure that you've managed to steer clear of introducing the same/similar > vulnerability into postgres. > > Am I right in thinking that you're now proposing to do the generic patch > that Robert Haas and I prefer?
I'll look on code and I'll see Pavel > > Thanks, > > -- > Mike Fowler > Registered Linux user: 379787 > > -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
