Обсуждение: Security hole in 8.1.3 with respect to invalidly-encoded multibyte characters

Поиск
Список
Период
Сортировка

Security hole in 8.1.3 with respect to invalidly-encoded multibyte characters

От
Bernd Kappler
Дата:
Hi,

we are using the postgresql jdbc driver build version 404 in conjunction with
postgresql 8.1.3. Could you please tell me, if this combination is safe with
respect to the security hole described in

http://www.postgresql.org/docs/techdocs.50

I guess so - but better safe than sorry :-)

Thanks and Regards

Bernd


--

Re: Security hole in 8.1.3 with respect to invalidly-encoded

От
Markus Schaber
Дата:
Hi, Bernd,

Bernd Kappler wrote:

> we are using the postgresql jdbc driver build version 404 in conjunction with
> postgresql 8.1.3. Could you please tell me, if this combination is safe with
> respect to the security hole described in
>
> http://www.postgresql.org/docs/techdocs.50
>
> I guess so - but better safe than sorry :-)

The pgsql-jdbc driver uses the 16-bit java encoding internally, and the
jvm-provided UTF8-encoder. Usually, the JVMs do not accept invalidly
encoded strings on input, and will not generate invalid ones on output,
so you should be save, if java is the only way for hostile people to
access the database.

I'm not shure what happens if you insane enough to use bytea and casting
inside the database, however, as this bypasses the JVM encodings, you'll
need to update your backend in this case.

HTH,
Markus
--
Markus Schaber | Logical Tracking&Tracing International AG
Dipl. Inf.     | Software Development GIS

Fight against software patents in EU! www.ffii.org www.nosoftwarepatents.org