Re: Security hole in 8.1.3 with respect to invalidly-encoded
| От | Markus Schaber |
|---|---|
| Тема | Re: Security hole in 8.1.3 with respect to invalidly-encoded |
| Дата | |
| Msg-id | 447AA8BB.5080700@logix-tt.com обсуждение исходный текст |
| Ответ на | Security hole in 8.1.3 with respect to invalidly-encoded multibyte characters (Bernd Kappler <Bernd.Kappler@genedata.com>) |
| Список | pgsql-jdbc |
Hi, Bernd, Bernd Kappler wrote: > we are using the postgresql jdbc driver build version 404 in conjunction with > postgresql 8.1.3. Could you please tell me, if this combination is safe with > respect to the security hole described in > > http://www.postgresql.org/docs/techdocs.50 > > I guess so - but better safe than sorry :-) The pgsql-jdbc driver uses the 16-bit java encoding internally, and the jvm-provided UTF8-encoder. Usually, the JVMs do not accept invalidly encoded strings on input, and will not generate invalid ones on output, so you should be save, if java is the only way for hostile people to access the database. I'm not shure what happens if you insane enough to use bytea and casting inside the database, however, as this bypasses the JVM encodings, you'll need to update your backend in this case. HTH, Markus -- Markus Schaber | Logical Tracking&Tracing International AG Dipl. Inf. | Software Development GIS Fight against software patents in EU! www.ffii.org www.nosoftwarepatents.org
В списке pgsql-jdbc по дате отправления: