Home > mailing lists

pgsql: oauth: Limit JSON parsing depth in the client - Mailing list pgsql-committers

From	Jacob Champion
Subject	pgsql: oauth: Limit JSON parsing depth in the client
Date	May 23 23:09:25
Msg-id	E1uIYho-000Saz-1w@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

oauth: Limit JSON parsing depth in the client

Check the ctx->nested level as we go, to prevent a server from running
the client out of stack space.

The limit we choose when communicating with authorization servers can't
be overly strict, since those servers will continue to add extensions in
their JSON documents which we need to correctly ignore. For the SASL
communication, we can be more conservative, since there are no defined
extensions (and the peer is probably more Postgres code).

Reviewed-by: Aleksander Alekseev <aleksander@timescale.com>
Discussion: https://postgr.es/m/CAOYmi%2Bm71aRUEi0oQE9ciBnBS8xVtMn3CifaPu2kmJzUfhOZgA%40mail.gmail.com

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/cbc8fd0c9aec01f451af5e4eeb0eb2c5d5e47eb2

Modified Files
--------------
src/interfaces/libpq-oauth/oauth-curl.c            | 26 ++++++++++++++++++
src/interfaces/libpq/fe-auth-oauth.c               | 25 +++++++++++++++++
src/test/modules/oauth_validator/t/001_server.pl   | 20 ++++++++++++++
src/test/modules/oauth_validator/t/oauth_server.py | 31 +++++++++++++++++-----
4 files changed, 96 insertions(+), 6 deletions(-)

pgsql-committers by date:

From: Bruce Momjian
Date: 23 May, 23:01:31
Subject: pgsql: doc PG 18 relnotes: update to current

From: Bruce Momjian
Date: 24 May, 00:02:35
Subject: pgsql: doc PG 18 relnotes: clarify btree skip-scan item

pgsql: oauth: Limit JSON parsing depth in the client - Mailing list pgsql-committers

Previous

Next