Re: disable SSL compression?
| От | Craig Ringer |
|---|---|
| Тема | Re: disable SSL compression? |
| Дата | |
| Msg-id | CAMsr+YF1OC4LV_UTEfB3Sb1Rt2gm_PvxbShhHW++yHXfq+Tq=w@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: disable SSL compression? (Gasper Zejn <zejn@owca.info>) |
| Список | pgsql-hackers |
On 9 March 2018 at 14:17, Gasper Zejn <zejn@owca.info> wrote:
On 09. 03. 2018 06:24, Craig Ringer wrote:If the attacker has access to client process or environment, he's already won and this is not where the compression vulnerability lies.I'm totally unconvinced by the threat posed by exploiting a client by tricking it into requesting protocol compression - or any other protocol change the client lib doesn't understand - with a connection option in PGOPTIONS or the "options" connstring entry. The attacker must be able to specify either environment variables (in which case I present "LD_PRELOAD") or the connstr. If they can set a connstr they can direct the client to talk to a different host that tries to exploit the connecting client in whatever manner they wish by sending any custom crafted messages they like.
I'm aware. That's a reference to Tom's often-stated objection to using a GUC as a client flag to enable new server-to-client protocol messages, not anything re SSL.
В списке pgsql-hackers по дате отправления: