Re: Leakproofness of texteq()/textne()
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
Stephen Frost <sfrost@snowman.net>
Date: 2019-09-12T20:56:06Z
Lists: pgsql-hackers
On Thu, Sep 12, 2019 at 1:38 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: > In any case, from a purely theoretical viewpoint, such an error message > *does* constitute a leak of information about the input strings. Whether > it's a usable leak is very debatable, but that's basically what we've > got to decide. I'm pretty content to ignore information leaks that can only happen if the database is corrupt anyway. If that's moving the goalposts at all, it's about a quarter-inch. I mean, a slightly differently corrupted varlena would could crash the database entirely. I wouldn't feel comfortable with ignoring information leaks that can happen with some valid strings but not others. That sounds like exactly the sort of information leak that we must prevent. The user can write arbitrary stuff in their query, potentially transforming strings so that the result hits the ERROR iff the original string had some arbitrary property P for which they wish to test. Allowing that sounds no different than deciding that int4div is leakproof, which it sure isn't. However, I wonder if there's any realistic case outside of an encoding conversion where such failures can occur. I would expect, perhaps naively, that the set of characters that can be represented by UTF-16 is the same set as can be represented by UTF-8. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Commits
-
Straighten out leakproofness markings on text comparison functions.
- d9110d7e1481 12.0 landed
- c160b8928c77 13.0 landed