Re: W3C Specs: Web SQL

On Mon, Nov 08, 2010 at 10:36:16AM -0800, Charles Pritchard wrote:
> On 11/8/2010 7:55 AM, Alvaro Herrera wrote:
> >Excerpts from Charles Pritchard's message of sáb nov 06 23:20:13 -0300 2010:
> >
> >>Simple async sql sub-set (the spec in trouble):
> >>http://dev.w3.org/html5/webdatabase/
> >This is insane.  This spec allows the server to run arbitrary SQL
> >commands on the client, AFAICT.  That seems like infinite joy for
> >malicious people running webservers.  The more powerful the dialect
> >of SQL the client implements, the more dangerous it is.
> 
> Because of a lack of "interested implementers", the spec does not
> put forward a standard dialect/subset. It simply uses Sqlite.
> 
> Obviously, access should be restricted per the security section: a
> given domain may only run commands that modify its own database.

That's not proof against a DoS of the form:

SELECT * FROM generate_series(1,1000000),generate_series(1,1000000),...;

... and that was *before* CTEs made SQL Turing-complete.

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate