On 2016-02-10 17:00, Tom Lane wrote:
Larry Rosenman <l...@lerctr.org> writes:
On 2016-02-10 16:19, Tom Lane wrote:
I looked into the OS X sources, and found that indeed you are right:
*scanf processes the input a byte at a time, and applies isspace() to
each byte separately, even when the locale is such that that's a
clearly insane thing to do. Since this code was derived from FreeBSD, FreeBSD has or once had the same issue. (A look at the freebsd project on github says it still does, assuming that's the authoritative repo.)
Not sure about other BSDen.

Definitive FreeBSD Sources:

Ah, thanks for the link.  I'm not totally sure which branch is most
current, but at least on this one, it's still clearly wrong:
convert_string(), which handles %s, applies isspace() to individual bytes regardless of locale. convert_wstring(), which handles %ls, does it more intelligently ... but as I said upthread, relying on %ls would just give
us a different set of portability problems.

It looks like Artur's patch is indeed what we need to do, along with
looking around for other *scanf() uses that are vulnerable.

                        regards, tom lane

that would be the current 10.x tree, production, and getting ready for 10.3 which is in code slush.

If you want, file a bug at https://bugs.freebsd.org/bugzilla

Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 214-642-9640                 E-Mail: l...@lerctr.org
US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to