> -----Original Message-----
> From: Gavin Sherry [mailto:swm@linuxworld.com.au]
> Sent: 12 August 2002 15:15
> To: Florian Weimer
> Cc: pgsql-hackers@postgresql.org
> Subject: Re: [HACKERS] [SECURITY] DoS attack on backend
> possible (was: Re:
>
>
> On Mon, 12 Aug 2002, Florian Weimer wrote:
>
> > Gavin Sherry <swm@linuxworld.com.au> writes:
> >
> > >> Yes, but if you just check that the date given by the
> user matches
> > >> the regular expression "[0-9]+-[0-9]+-[0-9]+", it's
> still possible
> > >> to crash the backend.
> >
> > > Anyone who is using that regular expression in an attempt to
> > > validate a user supplied date is already in trouble.
> >
> > I don't understand why extremely strict syntax checks are
> necessary.
> > The database has to parse it again anyway, and if you can't rely on
> > the database to get this simple parsing right, will it store your
> > data? Such a reasoning doesn't seem to be too far-fetched to me
>
> Why attempt to validate the user data at all if you're going
> to do a bad job of it? Moreover, 'rely on the database to get
> this ... right': what kind of security principle is that? For
> someone interested in security, you've just broken the most
> important principle.
If I write code in a Microsoft product such as VB it will happily accept
timestamps such as '2001-12-23 22.15.01' which is a perfectly valid date
in some parts of the world. PostgreSQL will barf on the .'s - is it
expected then that I write my own validation/parsing code to replace
Microsoft's in this and every other area that may need checking just
because PostgreSQL doesn't understand a particular format? I would
rather let PostgreSQL alone know about it's oddities and just throw me
an error I can deal with in such cases.
Regards, Dave.
PS (Gavin). Thanks for the CREATE OR REPLACE's you recently submitted!
