Re: Bug 62479
Hi Lester,
On Mon, Jan 20, 2014 at 6:50 AM, Will Fitch <willfitch@php.net> wrote:
> On Sun, Jan 19, 2014, at 12:59 PM, Lester Caine wrote:
> > Will Fitch wrote:
> > > On Sun, Jan 19, 2014, at 02:15 AM, Lester Caine wrote:
> > >> >Will Fitch wrote:
> > >>> > >Then again, I didn't expect to have
> > >>> > >a bug where single quotes are part of the password, so there's
> always a
> > >>> > >surprise.
> > >> >
> > >> >Leaving holes that can possibly be used by hackers is the problem
> here.
> > >> >IF
> > >> >someone finds an edge case that does not get handled their next step
> is
> > >> >to see
> > >> >if it can be exploited? Code review is not a matter of 'surprise'
> > >> >but
> > >> >rather
> > >> >'what have I missed that could be a problem'?
> > > I agree. However, this is more of a situation of not accounting for
> all
> > > situations as opposed to introducing a security flaw. As I told Stas,
> > > I'm going to update to account for beginning/ending quotes.
> >
> > Many of the edge cases that get missed are quite benign but some of them
> > can be
> > a surprise. It is perhaps a little surprising how some holes can be
> > exploited,
> > even when we thought they were safe :(
>
> Well said. :)
Good point. Older PostgreSQL uses \ as escape char.
There is standard conforming string handling and it is the default
currently.
However, it's a configurable option. It's safe as long as E'str' is used.
Reference: standard_conforming_strings
http://www.postgresql.org/docs/9.1/static/runtime-config-compatible.html
Is this issue considered?
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Thread (12 messages)