Re: ecmascript 5 DATESTYLE

2010/5/19 Mike Fowler <mike@mlfowler.com>:
> Pavel Stehule wrote:
>>
>> 2010/5/19 Mike Fowler <mike@mlfowler.com>:
>>
>>>
>>> Pavel Stehule wrote:
>>>
>>>>
>>>> see google: lateral sql injection oracle NLS_DATE_FORMAT
>>>>
>>>> I would to like this functionality too - and technically I don't see a
>>>> problem - It's less than 100 lines, but I don't need a new security
>>>> problem. So my proposal is change nothing on this integrated
>>>> functionality and add new custom date type - like cdate that can be
>>>> customized via GUC.
>>>>
>>>> Regards
>>>> Pavel
>>>>
>>>
>>> OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From
>>> the way I read this, the exploit relies on adjusting the NLS_DATE_FORMAT
>>> to
>>> an arbitrary string which is then used for the attack, To me this is easy
>>> to
>>> code against, simply lock the date format right down and ensure that it
>>> is
>>> always controlled. IMHO I don't see an Oracle specific attack as a reason
>>> why we can't have a generic format. Surely we can learn from this known
>>> vulnerability and get another one up on Oracle?
>>>
>>
>> I am not a security expert - you can simply don't allow apostrophe,
>> double quotes - but I am not sure, if this can be safe - simply - I am
>> abe to write this patch, but I am not able to ensure security.
>>
>> Regards
>> Pavel
>>
>
> Well you've rightly identified a potential security hole, so my
> recommendation would be to put the patch together bearing in mind the Oracle
> vulnerability. Once you've submitted the patch it can be reviewed and we can
> ensure that you've managed to steer clear of introducing the same/similar
> vulnerability into postgres.
>
> Am I right in thinking that you're now proposing to do the generic patch
> that Robert Haas and I prefer?

I'll look on code and I'll see

Pavel

>
> Thanks,
>
> --
> Mike Fowler
> Registered Linux user: 379787
>
>