Tatsuo Ishii <ishii@sraoss.co.jp> writes:
> I guess I understand whay you are saying. However, I am not allowed to
> talk to you about it unless cores allow me. Probably we need some
> closed forum to discuss this kind of security issues.
Considering that you've already described the problem on pgsql-hackers,
I hardly see how further discussion is going to create a bigger security
breach than already exists.
(I'm of the opinion that the problem is mostly a client problem anyway;
AFAICS the issue only comes up if client software fails to consider
encoding issues while doing escaping. There is certainly no way that
we can magically solve the problem in a new PG release, and so trying
to keep it quiet until we can work out a solution seems pointless.)
regards, tom lane