Would someone submit a patch for this?
---------------------------------------------------------------------------
Tom Lane wrote:
> Neil Conway <neilc@samurai.com> writes:
> > (2) The length supplied by the user is completely ignored by
> > the code, and it simply reads the input until it sees a
> > NULL terminator (read the comments in the code about 10
> > lines down.) Therefore, any sanity checking on the length
> > specified by the user is a waste of time.
>
> Agreed; the fact that the protocol requires a length word at all is just
> a hangover from the past. We can read the length word and forget it.
>
> I wonder though if it'd be worthwhile to limit the length of the string
> that we are willing to read from the client in the second step. We are
> at this point dealing with an unauthenticated user, so we should be
> untrusting. And I think Sir Mordred has a point: forcing a backend to
> allocate a lot of memory can be a form of DoS attack.
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073