Re: BUG #18274: Error 'invalid XML content'
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Dmitry Koval <d.koval@postgrespro.ru>, pgsql-bugs@lists.postgresql.org
Date: 2024-01-15T04:18:54Z
Lists: pgsql-bugs
On Sun, Jan 14, 2024 at 10:16:33PM -0500, Tom Lane wrote: > Blowing out a backend's memory or CPU consumption is not something > we try hard to prevent, so I'm not terribly worried on that score. > The one thing I'm concerned about is that raising these limits could > make bugs (like integer overflow problems) reachable that were not > otherwise, and that such bugs might rise to the level of security > problems. They've had such issues before (CVE-2022-40303) and it'd be > foolish to be sure that none remain. Still, that's clearly their bug > not our bug. Interesting. We could always keep our coding more defensive, not sure entirely how. I am not sure that this is enough to not just use the upper limit, though. Being able to manipulate larger XML elements sounds like a fair argument from the user perspective these days, especially with memory being cheaper and larger. 1fb2e0dfc631 has added the huge option back in 2009 in libxml2, so it's been around for some time. -- Michael
Commits
-
xml2: Replace deprecated routines with recommended ones
- 4b0e5d601291 12.19 landed
- bb418aeee270 13.15 landed
- 6fa5e67e832b 14.12 landed
- 689ba4f1c406 15.7 landed
- 7c93f31dee5f 16.3 landed
- 65c5864d7fac 17.0 landed
-
Revert "Add support for parsing of large XML data (>= 10MB)"
- f2743a7d70e7 17.0 landed
-
Add support for parsing of large XML data (>= 10MB)
- 2197d06224a1 17.0 landed