Re: Leakproofness of texteq()/textne()
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
Stephen Frost <sfrost@snowman.net>
Date: 2019-09-12T17:01:21Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> On Thu, Sep 12, 2019 at 12:19 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> After burrowing down further, it's visibly the case that
>> text_cmp and varstr_cmp don't leak in the sense of actually
>> reporting any part of their input strings. What they do do,
>> in some code paths, is things like
>> ereport(ERROR,
>> (errmsg("could not convert string to UTF-16: error code %lu",
>> GetLastError())));
> Is this possible? I mean, I'm sure it could happen if the data's
> corrupted, but we ought to have validated it on the way into the
> database. But maybe this code path also gets used for non-Unicode
> encodings?
Nope, the above is inside
#ifdef WIN32
/* Win32 does not have UTF-8, so we need to map to UTF-16 */
if (GetDatabaseEncoding() == PG_UTF8
&& (!mylocale || mylocale->provider == COLLPROVIDER_LIBC))
I agree with your point that this is a shouldn't-happen corner case.
The question boils down to, if it *does* happen, does that constitute
a meaningful information leak? Up to now we've taken quite a hard
line about what leakproofness means, so deciding that varstr_cmp
is leakproof would constitute moving the goalposts a bit. They'd
still be in the same stadium, though, IMO.
Another approach would be to try to remove these failure cases,
but I don't really see how we'd do that.
regards, tom lane
Commits
-
Straighten out leakproofness markings on text comparison functions.
- d9110d7e1481 12.0 landed
- c160b8928c77 13.0 landed