Re: [SECURITY] DoS attack on backend possible (was: Re:

On Mon, 12 Aug 2002, Florian Weimer wrote:

> Tom Lane <tgl@sss.pgh.pa.us> writes:
> 
> > Justin Clift <justin@postgresql.org> writes:
> >> Am I understanding this right:
> >>  - A PostgreSQL 7.2.1 server can be crashed if it gets passed certain
> >> date values which would be accepted by standard "front end" parsing? 
> >
> > AFAIK it's a buffer overrun issue, so anything that looks like a
> > reasonable date would *not* cause the problem.
> 
> Yes, but if you just check that the date given by the user matches the
> regular expression "[0-9]+-[0-9]+-[0-9]+", it's still possible to
> crash the backend.

Florian,

Anyone who is using that regular expression in an attempt to validate a
user supplied date is already in trouble.

Gavin