> -----Original Message----- > From: Gavin Sherry [mailto:[EMAIL PROTECTED]] > Sent: 12 August 2002 15:15 > To: Florian Weimer > Cc: [EMAIL PROTECTED] > Subject: Re: [HACKERS] [SECURITY] DoS attack on backend > possible (was: Re: > > > On Mon, 12 Aug 2002, Florian Weimer wrote: > > > Gavin Sherry <[EMAIL PROTECTED]> writes: > > > > >> Yes, but if you just check that the date given by the > user matches > > >> the regular expression "[0-9]+-[0-9]+-[0-9]+", it's > still possible > > >> to crash the backend. > > > > > Anyone who is using that regular expression in an attempt to > > > validate a user supplied date is already in trouble. > > > > I don't understand why extremely strict syntax checks are > necessary. > > The database has to parse it again anyway, and if you can't rely on > > the database to get this simple parsing right, will it store your > > data? Such a reasoning doesn't seem to be too far-fetched to me > > Why attempt to validate the user data at all if you're going > to do a bad job of it? Moreover, 'rely on the database to get > this ... right': what kind of security principle is that? For > someone interested in security, you've just broken the most > important principle. If I write code in a Microsoft product such as VB it will happily accept timestamps such as '2001-12-23 22.15.01' which is a perfectly valid date in some parts of the world. PostgreSQL will barf on the .'s - is it expected then that I write my own validation/parsing code to replace Microsoft's in this and every other area that may need checking just because PostgreSQL doesn't understand a particular format? I would rather let PostgreSQL alone know about it's oddities and just throw me an error I can deal with in such cases. Regards, Dave. PS (Gavin). Thanks for the CREATE OR REPLACE's you recently submitted! ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
