Home > mailing lists

Re: lower() and unaccent() not leakproof - Mailing list pgsql-general

From	David G. Johnston
Subject	Re: lower() and unaccent() not leakproof
Date	August 26, 2021 07:52:53
Msg-id	CAKFQuwYtO2ifxXzqL7BTgyjZFfUGcv=gyH9Gu+LkQQ163ib_=Q@mail.gmail.com Whole thread Raw
In response to	lower() and unaccent() not leakproof (Christophe Pettus <xof@thebuild.com>)
Responses	Re: lower() and unaccent() not leakproof
List	pgsql-general

Tree view

On Wednesday, August 25, 2021, Christophe Pettus <xof@thebuild.com> wrote:

lower() and unaccent() (and most string functions) are not marked as leakproof. Is this due to possible locale / character encoding errors they might encounter?

I think you are partially correct. Its due to the fact that error messages, regardless of the root cause, result in the printing of the input value in the error message as context, thus exists a leak via a violation of “ It reveals no information about its arguments other than by its return value. ”

David J.

pgsql-general by date:

From: Christophe Pettus
Date: 26 August 2021, 07:35:51
Subject: lower() and unaccent() not leakproof

From: Peter Eisentraut
Date: 26 August 2021, 10:58:13
Subject: Re: lower() and unaccent() not leakproof

Re: lower() and unaccent() not leakproof - Mailing list pgsql-general

Previous

Next