Tom Lane wrote: > Bruce Momjian <[EMAIL PROTECTED]> writes: > > Tom Lane wrote: > >> Have either of you inquired into the encoding-safety of this code? > >> It certainly looks like no consideration was given for that. > > > I thought of that but I assume we were not accepting user-supplied > > identifiers for this --- that this was only for application use. Am I > > wrong? > > By definition, an escaping routine is not supposed to trust the data it > is handed. We *will* be seeing a CVE report if this function has got > any escaping vulnerability. > > If you insist on a practical example, I can certainly imagine someone > thinking it'd be cool to allow searches on a user-selected column, and > implementing that by passing the user-given column name straight into > the query with only PQescapeIdentifier for safety.
OK, does someone want to fix it, or should I revert it? -- Bruce Momjian [EMAIL PROTECTED] EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
