Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71289
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84046 invoked from network); 20 Jan 2014 01:17:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jan 2014 01:17:05 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com  
Received: from [209.85.217.176] ([209.85.217.176:48652] helo=mail-lb0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9D/C4-61840-0197CD25 for <internals@lists.php.net>; Sun, 19 Jan 2014 20:17:05 -0500
Received: by mail-lb0-f176.google.com with SMTP id w7so3907455lbi.7
        for <internals@lists.php.net>; Sun, 19 Jan 2014 17:17:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=SjCQLmhvt27TglJF8nyRc/ROqj9bAozSO81oEvnT7UE=;
        b=zFIhHioaNhneZ5rI7bV/XdYENj8/kskbjKKC3SJDDbJq6BwrLsjWu97iHCg4Et3sbq
         M39HrpU06+6nGmoeCLkCEG9vik8/7kDGvmxuPTGyxwF6e7SRmiV4qKS6djAouMIJHO+q
         31E0eSC1WuItieh0Jsljire4ROuDcAWnAsGGC27IqVjLAYCa8RaV5GL+ewFvHL+gFFre
         N7XLd1sd4PcSDt97O0/ceKh1CXIb0t5r56LNw5Ifi4K5rVq/8weWS+onFs225etL8KUm
         JhVg+KmcodX5qG5QNVjf/XBXVO8kJmK+usOCL5SXUcIighUdkHOW+1CDHpoUD+fd11Jn
         OO+Q==
X-Received: by 10.112.64.227 with SMTP id r3mr9417427lbs.24.1390180621463;
 Sun, 19 Jan 2014 17:17:01 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.6.68 with HTTP; Sun, 19 Jan 2014 17:16:21 -0800 (PST)
In-Reply-To: <1390168252.12466.72764421.0FBAC6E1@webmail.messagingengine.com>
References: <1390082096.14862.72482025.5D36E64F@webmail.messagingengine.com>
 <52DB2E4D.8000009@sugarcrm.com> <1390096353.18659.72527933.474C16A5@webmail.messagingengine.com>
 <52DB310A.9040506@sugarcrm.com> <1390099947.26938.72538325.1FDD1F20@webmail.messagingengine.com>
 <52DBA5B2.20304@lsces.co.uk> <1390154806.5657.72705681.06A9F994@webmail.messagingengine.com>
 <52DC3CB4.5090503@lsces.co.uk> <1390168252.12466.72764421.0FBAC6E1@webmail.messagingengine.com>
Date: Mon, 20 Jan 2014 10:16:21 +0900
X-Google-Sender-Auth: _3JLvbO_9xJwK-rpJOzsvhW60pM
Message-ID: <CAGa2bXYoQcpSXdpUvKs7gn9zDcTj9VTHvOukPe1KYV4EFLRSHA@mail.gmail.com>
To: Will Fitch <willfitch@php.net>
Cc: Lester Caine <lester@lsces.co.uk>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113437961db6dc04f05ca6ba
Subject: Re: [PHP-DEV] Bug 62479
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113437961db6dc04f05ca6ba
Content-Type: text/plain; charset=UTF-8

Hi Lester,

On Mon, Jan 20, 2014 at 6:50 AM, Will Fitch <willfitch@php.net> wrote:

> On Sun, Jan 19, 2014, at 12:59 PM, Lester Caine wrote:
> > Will Fitch wrote:
> > > On Sun, Jan 19, 2014, at 02:15 AM, Lester Caine wrote:
> > >> >Will Fitch wrote:
> > >>> > >Then again, I didn't expect to have
> > >>> > >a bug where single quotes are part of the password, so there's
> always a
> > >>> > >surprise.
> > >> >
> > >> >Leaving holes that can possibly be used by hackers is the problem
> here.
> > >> >IF
> > >> >someone finds an edge case that does not get handled their next step
> is
> > >> >to see
> > >> >if it can be exploited? Code review is not a matter of 'surprise' but
> > >> >rather
> > >> >'what have I missed that could be a problem'?
> > > I agree.  However, this is more of a situation of not accounting for
> all
> > > situations as opposed to introducing a security flaw.  As I told Stas,
> > > I'm going to update to account for beginning/ending quotes.
> >
> > Many of the edge cases that get missed are quite benign but some of them
> > can be
> > a surprise. It is perhaps a little surprising how some holes can be
> > exploited,
> > even when we thought they were safe :(
>
> Well said. :)


Good point. Older PostgreSQL uses \ as escape char.
There is standard conforming string handling and it is the default
currently.
However, it's a configurable option. It's safe as long as E'str' is used.

Reference: standard_conforming_strings
http://www.postgresql.org/docs/9.1/static/runtime-config-compatible.html

Is this issue considered?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113437961db6dc04f05ca6ba--