Re: possible design bug with PQescapeString() - Mailing list pgsql-hackers

From Tatsuo Ishii
Subject Re: possible design bug with PQescapeString()
Date
Msg-id 20060228.101433.28783203.t-ishii@sraoss.co.jp
Whole thread Raw
In response to Re: possible design bug with PQescapeString()  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
FYI

I have sent an email to cores to ask if I am OK to bring another but
closely related to this issue to open discussions, whose details have
already been sent to them. The reason why I'm asking is, if this issue
could be open, then the issue might be open too and that makes
discussions easier.

At this point, I get no response from them so far.
--
Tatsuo Ishii
SRA OSS, Inc. Japan

> Tatsuo Ishii <ishii@sraoss.co.jp> writes:
> > I guess I understand whay you are saying. However, I am not allowed to
> > talk to you about it unless cores allow me. Probably we need some
> > closed forum to discuss this kind of security issues.
> 
> Considering that you've already described the problem on pgsql-hackers,
> I hardly see how further discussion is going to create a bigger security
> breach than already exists.
> 
> (I'm of the opinion that the problem is mostly a client problem anyway;
> AFAICS the issue only comes up if client software fails to consider
> encoding issues while doing escaping.  There is certainly no way that
> we can magically solve the problem in a new PG release, and so trying
> to keep it quiet until we can work out a solution seems pointless.)
> 
>             regards, tom lane
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend
> 


pgsql-hackers by date:

Previous
From: Josh Berkus
Date:
Subject: Re: pg_config, pg_service.conf, postgresql.conf ....
Next
From: James William Pye
Date:
Subject: Re: Scanning for insert