Postgres Pro
Downloads
Home   >   mailing lists

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

From ngpg@grymmjack.com
Subject Re: [SECURITY] DoS attack on backend possible
Date
Msg-id Xns926FAC763A2C59wn7t0983uom3iu23n@64.49.215.80
Whole thread Raw
In response to Re: [SECURITY] DoS attack on backend possible  (Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>)
Responses Re: [SECURITY] DoS attack on backend possible  (Curt Sampson <cjs@cynic.net>)
Re: [SECURITY] DoS attack on backend possible  (Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>)
List pgsql-hackers
Tree view 
Weimer@CERT.Uni-Stuttgart.DE (Florian Weimer) wrote
> Alvar Freude <alvar@a-blast.org> writes:
> 
>>>  What about checking the input for backslash, quote, 
>>> and double quote (\'")?  If you are not taking care of those in
>>> input then  crashing the backend is going to be the least of your
>>> worries. 
>>
>> with Perl and *using placeholders and bind values*, the application
>> developer has not to worry about this. So, usually I don't check the
>> values in my applications (e.g. if only values between 1 and 5 are
>> allowed and under normal circumstances only these are possible), it's
>> the task of the database (check constraint). 
> 
> That's the idea.  It's the job of the database to guarantee data
> integrety.
> 
> Obviously, the PostgreSQL developers disagree.  If I've got to do all
> checking in the application anyway, I can almost use MySQL
> instead. ;-)
> 

perhaps I did not express myself very well.
if you are going to be passing any user input to the database, you 
must/should validate in some manner before blindly passing it to the db.
The db can and should guarantee data integrity, but the database cannot 
read your mind when it comes to how you structure your queries.

$input = "user'name";
INSERT INTO db (name) VALUES ('$input');

will fail because the ' in the input needs to be escaped with a 
backslash.  at some point this has to happen, because

INSERT INTO db (name) VALUES ('user'name');

is not a valid query.

The other thing is i think you are stretching the "db integrity 
checking" argument a little too far.  Its the db's responsibility to make 
sure only valid data is stored, but its not the db's responsibility to 
directly interact with your end users -- this is the job of your 
application and interface.  If you insert a new record and there is a 
constraint violation, how is your application supposed to know what 
illegal value(s) is/are causing it?  How are you supposed to convey the 
proper information to your user to get the input you are looking for?

Besides all that, and i dont mean to insult you, but your just plain 
stupid if you blindly pass user inputted data to your db.  For that 
matter, your stupid if you blindly accept user input in any programming 
without checking it at some level.

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: CREATE CAST WITHOUT FUNCTION should require superuserness?
Next
From: "Jeroen T. Vermeulen"
Date:
Subject: Re: Open 7.3 items