Re: Are there use cases for storing null bytes in CharField/TextField?

[Luke Plant]

I agree with Adam, we should never silently change submitted data at the 
model layer. My preference would be c), a form-level validation error 
that prevents saving.

Luke

On 15/05/17 19:11, Adam Johnson wrote:
The problem with (a) - data with null bytes in strings from other 
databases can't be loaded into PG as per #28117 .

The problem with (b) - data currently in databases in the wild will be 
modified upon save 😱

(b) is incredibly destructive and could break an unknown number of 
applications whilst (a) doesn't affect anyone until they try to 
migrate null-byte-strings into PG. I vote for (a), or (c) add 
form-level validation to (Char/Text)Field that null bytes aren't in 
the submitted string (for all databases) and error when trying to save 
them on PG.


On 15 May 2017 at 16:54, Tim Graham <timogra...@gmail.com 
<mailto:timogra...@gmail.com>> wrote:

    Does anyone know of a use case for using null bytes in
    CharField/TextField?

    psycopg2 2.7+ raises ValueError("A string literal cannot contain
    NUL (0x00) characters.") when trying to save null bytes [0] and
    this exception is unhandled in Django which allow malicious form
    submissions to crash [1]. With psycopg2 < 2.7, there is no
    exception and null bytes are silently truncated by PostgreSQL.
    Other databases that I tested (SQLite, MySQL, Oracle) allow saving
    null bytes. This creates possible cross-database compatibility
    problems when moving data from those databases to PostgreSQL, e.g.[2].

    I propose to have CharField and TextField strip null bytes from
    the value either a) only on PostgreSQL or b) on all databases.
    Please indicate your preference or suggest another solution.

    [0] https://github.com/psycopg/psycopg2/issues/420
    <https://github.com/psycopg/psycopg2/issues/420>
    [1] https://code.djangoproject.com/ticket/28201
    <https://code.djangoproject.com/ticket/28201> - Saving a
    Char/TextField with psycopg2 2.7+ raises ValueError: A string
    literal cannot contain NUL (0x00) characters is unhandled
    [2] https://code.djangoproject.com/ticket/28117
    <https://code.djangoproject.com/ticket/28117> - loaddata raises
    ValueError with psycopg2 backend when data contains null bytes
    -- 
    You received this message because you are subscribed to the Google
    Groups "Django developers (Contributions to Django itself)" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to django-developers+unsubscr...@googlegroups.com
    <mailto:django-developers+unsubscr...@googlegroups.com>.
    To post to this group, send email to
    django-developers@googlegroups.com
    <mailto:django-developers@googlegroups.com>.
    Visit this group at
    https://groups.google.com/group/django-developers
    <https://groups.google.com/group/django-developers>.
    To view this discussion on the web visit
    
https://groups.google.com/d/msgid/django-developers/9897126d-b6ef-48f1-9f19-96ed98ce10e5%40googlegroups.com
    
<https://groups.google.com/d/msgid/django-developers/9897126d-b6ef-48f1-9f19-96ed98ce10e5%40googlegroups.com?utm_medium=email&utm_source=footer>.
    For more options, visit https://groups.google.com/d/optout
    <https://groups.google.com/d/optout>.




--
Adam
--
You received this message because you are subscribed to the Google 
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to django-developers+unsubscr...@googlegroups.com 
<mailto:django-developers+unsubscr...@googlegroups.com>.
To post to this group, send email to 
django-developers@googlegroups.com 
<mailto:django-developers@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM1qVc3ovXb9PhzKY3jd__FURYX6Fy9r1WFrBpcpMy%2Bz%2BA%40mail.gmail.com 
<https://groups.google.com/d/msgid/django-developers/CAMyDDM1qVc3ovXb9PhzKY3jd__FURYX6Fy9r1WFrBpcpMy%2Bz%2BA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django 
developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/1fbe9f18-f935-93eb-dd90-ffa754ad9c2b%40cantab.net.
For more options, visit https://groups.google.com/d/optout.