On 9 March 2018 at 14:17, Gasper Zejn <zejn@owca.info> wrote:
On 09. 03. 2018 06:24, Craig Ringer wrote:
I'm totally unconvinced by the threat posed by exploiting a client by tricking it into requesting protocol compression - or any other protocol change the client lib doesn't understand - with a connection option in PGOPTIONS or the "options" connstring entry. The attacker must be able to specify either environment variables (in which case I present "LD_PRELOAD") or the connstr. If they can set a connstr they can direct the client to talk to a different host that tries to exploit the connecting client in whatever manner they wish by sending any custom crafted messages they like.
If the attacker has access to client process or environment, he's already won and this is not where the compression vulnerability lies.
I'm aware. That's a reference to Tom's often-stated objection to using a GUC as a client flag to enable new server-to-client protocol messages, not anything re SSL.