On Mon, Sep 14, 2009 at 12:17:55PM -0400, Tom Lane wrote: > Sam Mason <s...@samason.me.uk> writes: > > On Mon, Sep 14, 2009 at 05:45:14PM +0200, Saleem EDAH-TALLY wrote: > >> How can a user extract data from a container, by whatever > >> name we call it, if he does not have the key to open it ? > > > Exactly the same way that libpq does--debuggers are powerful tools! > > Or even easier, modify the source code of libpq to print out the data > after it's extracted it.
Yup, I suppose you could even modify libpq to rewrite the "good" SQL into whatever the attackers wants--bypassing any secret based scheme completely. > Security in an open-source world requires > a different set of tools than security in a closed-source world. Strictly speaking, a debugger is the universal mallet :) Also, it shouldn't change much. Security through obscurity is never good, it is employed far too often though thankfully (a bit) less in open-source programs. -- Sam http://samason.me.uk/ -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
