Pavel Stehule wrote:
> 2010/5/19 Mike Fowler <mike@mlfowler.com>:
>
>> Pavel Stehule wrote:
>>
>>> see google: lateral sql injection oracle NLS_DATE_FORMAT
>>>
>>> I would to like this functionality too - and technically I don't see a
>>> problem - It's less than 100 lines, but I don't need a new security
>>> problem. So my proposal is change nothing on this integrated
>>> functionality and add new custom date type - like cdate that can be
>>> customized via GUC.
>>>
>>> Regards
>>> Pavel
>>>
>> OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From
>> the way I read this, the exploit relies on adjusting the NLS_DATE_FORMAT to
>> an arbitrary string which is then used for the attack, To me this is easy to
>> code against, simply lock the date format right down and ensure that it is
>> always controlled. IMHO I don't see an Oracle specific attack as a reason
>> why we can't have a generic format. Surely we can learn from this known
>> vulnerability and get another one up on Oracle?
>>
>
> I am not a security expert - you can simply don't allow apostrophe,
> double quotes - but I am not sure, if this can be safe - simply - I am
> abe to write this patch, but I am not able to ensure security.
>
> Regards
> Pavel
>
Well you've rightly identified a potential security hole, so my
recommendation would be to put the patch together bearing in mind the
Oracle vulnerability. Once you've submitted the patch it can be reviewed
and we can ensure that you've managed to steer clear of introducing the
same/similar vulnerability into postgres.
Am I right in thinking that you're now proposing to do the generic patch
that Robert Haas and I prefer?
Thanks,
--
Mike Fowler
Registered Linux user: 379787