Re: Underscore in positional parameters?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Erik Wienhold <ewie@ewie.name>
Cc: jian he <jian.universality@gmail.com>,
Alexander Lakhin <exclusion@gmail.com>,
Michael Paquier <michael@paquier.xyz>,
Peter Eisentraut <peter@eisentraut.org>,
Dean Rasheed <dean.a.rasheed@gmail.com>, pgsql-hackers@postgresql.org
Date: 2024-05-20T03:02:53Z
Lists: pgsql-hackers
Erik Wienhold <ewie@ewie.name> writes: > On 2024-05-20 03:26 +0200, jian he wrote: >> /* Check parameter number is in range */ >> if (paramno <= 0 || paramno > MaxAllocSize / sizeof(Oid)) >> ereport(ERROR, ... > Yes, it makes sense to show the upper bound. How about a hint such as > "Valid parameters range from $%d to $%d."? I kind of feel like this upper bound is ridiculous. In what scenario is parameter 250000000 not a mistake, if not indeed somebody trying to break the system? The "Bind" protocol message only allows an int16 parameter count, so rejecting parameter numbers above 32K would make sense to me. regards, tom lane
Commits
-
Fix overflow in parsing of positional parameter
- d35cd0619984 18.0 landed
-
Limit max parameter number with MaxAllocSize
- 9c2e660b07fc 18.0 landed
-
Re-forbid underscore in positional parameters
- 315661ecafbc 16.4 landed
- 98b4f53d156e 17.0 landed