Weimer@CERT.Uni-Stuttgart.DE (Florian Weimer) wrote in
news:8765yg2niw.fsf@CERT.Uni-Stuttgart.DE:
> Gavin Sherry <swm@linuxworld.com.au> writes:
>
>>> Yes, but if you just check that the date given by the user matches the
>>> regular expression "[0-9]+-[0-9]+-[0-9]+", it's still possible to
>>> crash the backend.
>
>> Anyone who is using that regular expression in an attempt to validate a
>> user supplied date is already in trouble.
>
> I don't understand why extremely strict syntax checks are necessary.
> The database has to parse it again anyway, and if you can't rely on
> the database to get this simple parsing right, will it store your
> data? Such a reasoning doesn't seem to be too far-fetched to me
I believe this is often referred to as the layered onion approach of
security, besides that what constitutes extremely strict syntax checking is
somewhat subjective. What about checking the input for backslash, quote,
and double quote (\'")? If you are not taking care of those in input then
crashing the backend is going to be the least of your worries. I think
there needs to be some level of checking before the input is blindly passed
to the backend for parsing. Typically the input for an individual field
wouldnt be more than ~255 characters, unless you are dealing with TEXT or
lo's. I dont consider adding a length check to the usual \'" check to be
extreme... but perhaps just as necssary?
