Peter Geoghegan <p...@heroku.com> writes: > I looked into it, and it turns out that MongoDB does not accept NUL in > at least some contexts (for object keys). Apparently it wasn't always > so. MongoDB previously had a security issue that was fixed by > introducing this restriction. Their JSON-centric equivalent of > per-column privileges was for a time compromised, because "NUL > injection" was possible:
> https://www.idontplaydarts.com/2011/02/mongodb-null-byte-injection-attacks/ > It's easy to bash MongoDB, but this is still an interesting data > point. They changed this after the fact, and yet I can find no > evidence of any grumbling about it from end users. No one really > noticed. Hoo, that's interesting. Lends some support to my half-baked idea that we might disallow NUL in object keys even if we are able to allow it elsewhere in JSON strings. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
