Pavel Stehule wrote:
see google: lateral sql injection oracle NLS_DATE_FORMAT
I would to like this functionality too - and technically I don't see a
problem - It's less than 100 lines, but I don't need a new security
problem. So my proposal is change nothing on this integrated
functionality and add new custom date type - like cdate that can be
customized via GUC.
Regards
Pavel
OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf.
From the way I read this, the exploit relies on adjusting the
NLS_DATE_FORMAT to an arbitrary string which is then used for the
attack, To me this is easy to code against, simply lock the date format
right down and ensure that it is always controlled. IMHO I don't see an
Oracle specific attack as a reason why we can't have a generic format.
Surely we can learn from this known vulnerability and get another one up
on Oracle?
Thanks,
--
Mike Fowler
Registered Linux user: 379787
"I could be a genius if I just put my mind to it, and I,
I could do anything, if only I could get 'round to it"
-PULP 'Glory Days'
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
