Home > mailing lists

Re: lower() and unaccent() not leakproof - Mailing list pgsql-general

From	Daniel Gustafsson
Subject	Re: lower() and unaccent() not leakproof
Date	August 26, 2021 18:46:14
Msg-id	2322C77D-2B8B-4C7E-965F-C4F20F21F8EE@yesql.se Whole thread Raw
In response to	Re: lower() and unaccent() not leakproof (Peter Eisentraut <peter.eisentraut@enterprisedb.com>)
List	pgsql-general

Tree view

> On 26 Aug 2021, at 16:59, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
> On 26.08.21 10:40, Daniel Gustafsson wrote:

>> Wouldn’t the difference in possible error messages in upper/lower be able to
>> leak whether the input is ascii or wide chars, and/or the collation?
>
> Yeah, but there aren't any error messages that relate to the argument string, if you look through the code.  There
isn'tany "could not find lower case equivalent of %s" or anything like that. 

Correct.  My reading of "It reveals no information about its arguments other
than by its return value” was that errormessages indicating different code-
paths based on argument structure weren't allowed. That might have been a bit
too lawyery interpretation though.

--
Daniel Gustafsson        https://vmware.com/

pgsql-general by date:

From: Peter Eisentraut
Date: 26 August 2021, 18:06:23
Subject: Re: lower() and unaccent() not leakproof

From: hubert depesz lubaczewski
Date: 26 August 2021, 19:06:44
Subject: Re: Can we get rid of repeated queries from pg_dump?

Re: lower() and unaccent() not leakproof - Mailing list pgsql-general

Previous

Next