Re: [SECURITY] DoS attack on backend possible

Поиск
Список
Период
Сортировка
От Florian Weimer
Тема Re: [SECURITY] DoS attack on backend possible
Дата
Msg-id 877kil4hlr.fsf@CERT.Uni-Stuttgart.DE
обсуждение исходный текст
Ответ на Re: [SECURITY] DoS attack on backend possible  ("Zeugswetter Andreas SB SD" <ZeugswetterA@spardat.at>)
Список pgsql-hackers
Дерево обсуждения 
"Zeugswetter Andreas SB SD" <ZeugswetterA@spardat.at> writes:

> Yes, but what is currently missing is a protocol to the backend
> where a statement is prepared with placeholders and then executed
> (multiple times) with given values. Then there is no doubt what is a
> value, and what a part of the SQL.

This wouldn't have helped in the current case.  The bug is in the
datetime parser which translates strings to an external
representation, not in the SQL parser.

-- 
Florian Weimer                       Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Lamar Owen
Дата:
Сообщение: Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in
Следующее
От: "Zeugswetter Andreas SB SD"
Дата:
Сообщение: Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in