Re: can we mark upper/lower/textlike functions leakproof? - Mailing list pgsql-hackers

From Tom Lane
Subject Re: can we mark upper/lower/textlike functions leakproof?
Date
Msg-id 3416373.1722449026@sss.pgh.pa.us
Whole thread Raw
In response to Re: can we mark upper/lower/textlike functions leakproof?  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: can we mark upper/lower/textlike functions leakproof?
Re: can we mark upper/lower/textlike functions leakproof?
List pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> If there are some inputs that cause upper() and lower() to fail and
> others that do not, the functions aren't leakproof, because an
> attacker can extract information about values that they can't see by
> feeding those values into these functions and seeing whether they get
> a failure or not.

> [ rather exhaustive analysis redacted ]

> So in summary, I think upper() is ... pretty close to leakproof. But
> if ICU sometimes fails on certain strings, then it isn't. And if the
> multi-byte libc path can be made to fail reliably either with really
> long strings or with certain choices of the LC_CTYPE locale, then it
> isn't.

The problem here is that marking these functions leakproof is a
promise about a *whole bunch* of code, much of it not under our
control; worse, there's no reason to think all that code is stable.
A large fraction of it didn't even exist a few versions ago.

Even if we could convince ourselves that the possible issues Robert
mentions aren't real at the moment, I think marking these leakproof
is mighty risky.  It's unlikely we'd remember to revisit the marking
the next time someone drops a bunch of new code in here.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Christophe Pettus
Date:
Subject: Re: CI, macports, darwin version problems
Next
From: Christophe Pettus
Date:
Subject: Re: CI, macports, darwin version problems