Thread

  1. Re: BUG #19354: JOHAB rejects valid byte sequences

    Robert Haas <robertmhaas@gmail.com> — 2025-12-16T18:42:51Z

    On Tue, Dec 16, 2025 at 10:41 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > However, that doesn't mean we can fix pg_johab_mblen() and we're done.
    > I'm still quite afraid that we'd be introducing security-grade
    > inconsistencies of interpretation between different PG versions.
    
    I understand that fear, but I do not have an opinion either way on
    whether there would be an actual vulnerability
    
    I think there is a good chance that the right going-forward fix is to
    deprecate the encoding, because according to
    https://www.unicode.org/Public/MAPPINGS/EASTASIA/ReadMe.txt this and
    everything else that's now under
    https://www.unicode.org/Public/MAPPINGS/OBSOLETE/EASTASIA/ were
    deprecated in 2001. By the time v19 is released, the deprecation will
    be a quarter-century old, and the fact that it doesn't work is good
    evidence that few people will miss it, though perhaps the original
    poster will want to put forward an argument for why we should still
    care about this.
    
    What to do in the back branches is a more difficult question. Since
    this is a client-only encoding, there's no issue of what is already
    stored in the database, and we would not be proposing to change any of
    the mappings, just allow the ones that don't currently work to do so.
    I *think* that fixing pg_johab_mblen() would be "forward compatible":
    the subset of the encoding that already works would continue to behave
    in the same way, and the rest of it would begin working as well.
    
    And, I don't really like throwing up our hands and deciding that
    already-released features are free to continue not working. That's
    what bug-fix release are for.
    
    On the other hand, fixing this bug which apparently affects very few
    users, and in the process creating a scarier, CVE-worthy bug would not
    win us many friends, especially in view of the apparently-low uptake
    of this encoding.
    
    -- 
    Robert Haas
    EDB: http://www.enterprisedb.com