On Tue, May 09, 2017 at 12:48:01PM -0400, Tom Lane wrote: > David Fetter <da...@fetter.org> writes: > > On Fri, May 05, 2017 at 02:20:26PM -0400, Robert Haas wrote: > >> On Thu, May 4, 2017 at 10:59 AM, Chapman Flack <c...@anastigmatix.net> > >> wrote: > >>> invalid input syntax for integer: "21' && 1=2)) Uni/**/ON > >>> SEl/**/eCT 0x646665743166657274,0x646665743266657274, > >>> 0x646665743366657274 -- " > > >> Now that is choice. I wonder what specific database system that's > >> targeting... > > > It could well be targeting some class of pipeline to the database, > > too, for example one that removes comments and/or un-escapes. > > Yeah. It's a bit hard to see a database's parser treating "Uni/**/ON" > as UNION, but if some stack someplace had a keyword check ahead of > a comment-stripping step, maybe that could do something useful.
Right. > > It occurs to me that psql's habit of stripping out everything on a > > line that follows a double dash might be vulnerable in this way, but > > I wouldn't see such vulnerabilities as super easy to exploit, as psql > > isn't usually exposed directly to input from the internet. > > I don't think that's a problem: while psql will remove "--" and everything > following it until newline, it won't remove the newline. So there's still > a token boundary there. If we tried to strip /*...*/ comments we'd have > to be more careful. We may still need to be careful. davidfetter@davidfetter=# SELECT 'foo'-- stuff goes here 'bar'; ?column? ---------- foobar (1 row) > As far as the actual thread topic goes, I tend to agree with > Robert's doubt that there's enough utility or consensus for this. I'm pretty sure we're going to need a logger with more structure than our default, especially as those logs get machine-parsed, and more importantly, machine-acted-upon. Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers