Обсуждение: Security hole in 8.1.3 with respect to invalidly-encoded multibyte characters
Security hole in 8.1.3 with respect to invalidly-encoded multibyte characters
От
Bernd Kappler
Дата:
Hi, we are using the postgresql jdbc driver build version 404 in conjunction with postgresql 8.1.3. Could you please tell me, if this combination is safe with respect to the security hole described in http://www.postgresql.org/docs/techdocs.50 I guess so - but better safe than sorry :-) Thanks and Regards Bernd --
Hi, Bernd, Bernd Kappler wrote: > we are using the postgresql jdbc driver build version 404 in conjunction with > postgresql 8.1.3. Could you please tell me, if this combination is safe with > respect to the security hole described in > > http://www.postgresql.org/docs/techdocs.50 > > I guess so - but better safe than sorry :-) The pgsql-jdbc driver uses the 16-bit java encoding internally, and the jvm-provided UTF8-encoder. Usually, the JVMs do not accept invalidly encoded strings on input, and will not generate invalid ones on output, so you should be save, if java is the only way for hostile people to access the database. I'm not shure what happens if you insane enough to use bytea and casting inside the database, however, as this bypasses the JVM encodings, you'll need to update your backend in this case. HTH, Markus -- Markus Schaber | Logical Tracking&Tracing International AG Dipl. Inf. | Software Development GIS Fight against software patents in EU! www.ffii.org www.nosoftwarepatents.org