Pavel Stehule wrote:
2010/5/19 Mike Fowler <m...@mlfowler.com>:
Pavel Stehule wrote:
see google: lateral sql injection oracle NLS_DATE_FORMAT
I would to like this functionality too - and technically I don't see a
problem - It's less than 100 lines, but I don't need a new security
problem. So my proposal is change nothing on this integrated
functionality and add new custom date type - like cdate that can be
customized via GUC.
Regards
Pavel
OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From
the way I read this, the exploit relies on adjusting the NLS_DATE_FORMAT to
an arbitrary string which is then used for the attack, To me this is easy to
code against, simply lock the date format right down and ensure that it is
always controlled. IMHO I don't see an Oracle specific attack as a reason
why we can't have a generic format. Surely we can learn from this known
vulnerability and get another one up on Oracle?
I am not a security expert - you can simply don't allow apostrophe,
double quotes - but I am not sure, if this can be safe - simply - I am
abe to write this patch, but I am not able to ensure security.
Regards
Pavel
Well you've rightly identified a potential security hole, so my
recommendation would be to put the patch together bearing in mind the
Oracle vulnerability. Once you've submitted the patch it can be reviewed
and we can ensure that you've managed to steer clear of introducing the
same/similar vulnerability into postgres.
Am I right in thinking that you're now proposing to do the generic patch
that Robert Haas and I prefer?
Thanks,
--
Mike Fowler
Registered Linux user: 379787
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
