Peter Geoghegan <pg@heroku.com> writes:
> I looked into it, and it turns out that MongoDB does not accept NUL in
> at least some contexts (for object keys). Apparently it wasn't always
> so. MongoDB previously had a security issue that was fixed by
> introducing this restriction. Their JSON-centric equivalent of
> per-column privileges was for a time compromised, because "NUL
> injection" was possible:
> https://www.idontplaydarts.com/2011/02/mongodb-null-byte-injection-attacks/
> It's easy to bash MongoDB, but this is still an interesting data
> point. They changed this after the fact, and yet I can find no
> evidence of any grumbling about it from end users. No one really
> noticed.
Hoo, that's interesting. Lends some support to my half-baked idea that
we might disallow NUL in object keys even if we are able to allow it
elsewhere in JSON strings.
regards, tom lane