Tatsuo Ishii <[EMAIL PROTECTED]> writes: > I guess I understand whay you are saying. However, I am not allowed to > talk to you about it unless cores allow me. Probably we need some > closed forum to discuss this kind of security issues.
Considering that you've already described the problem on pgsql-hackers, I hardly see how further discussion is going to create a bigger security breach than already exists. (I'm of the opinion that the problem is mostly a client problem anyway; AFAICS the issue only comes up if client software fails to consider encoding issues while doing escaping. There is certainly no way that we can magically solve the problem in a new PG release, and so trying to keep it quiet until we can work out a solution seems pointless.) regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend