8000 Docs: add disclaimer about hazards of using regexps from untrusted so… · percona/postgres@3fe8a6c · GitHub
[go: up one dir, main page]
Skip to content

Commit 3fe8a6c

Browse files
tglsfdctglsfdc
committed
Docs: add disclaimer about hazards of using regexps from untrusted sources.
It's not terribly hard to devise regular expressions that take large amounts of time and/or memory to process. Recent testing by Greg Stark has also shown that machines with small stack limits can be driven to stack overflow by suitably crafted regexps. While we intend to fix these things as much as possible, it's probably impossible to eliminate slow-execution cases altogether. In any case we don't want to treat such things as security issues. The history of that code should already discourage prudent DBAs from allowing execution of regexp patterns coming from possibly-hostile sources, but it seems like a good idea to warn about the hazard explicitly. Currently, similar_escape() allows access to enough of the underlying regexp behavior that the warning has to apply to SIMILAR TO as well. We might be able to make it safer if we tightened things up to allow only SQL-mandated capabilities in SIMILAR TO; but that would be a subtly non-backwards-compatible change, so it requires discussion and probably could not be back-patched. Per discussion among pgsql-security list.
1 parent a1c4afa commit 3fe8a6c

File tree

1 file changed

+22
-0
lines changed

1 file changed

+22
-0
lines changed

doc/src/sgml/func.sgml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3074,6 +3074,28 @@ cast(-44 as bit(12)) <lineannotation>111111010100</lineannotation>
30743074
</para>
30753075
</tip>
30763076

3077+
<caution>
3078+
<para>
3079+
While most regular-expression searches can be executed very quickly,
3080+
regular expressions can be contrived that take arbitrary amounts of
3081+
time and memory to process. Be wary of accepting regular-expression
3082+
search patterns from hostile sources. If you must do so, it is
3083+
advisable to impose a statement timeout.
3084+
</para>
3085+
3086+
<para>
3087+
Searches using <function>SIMILAR TO</function> patterns have the same
3088+
security hazards, since <function>SIMILAR TO</function> provides many
3089+
of the same capabilities as <acronym>POSIX</acronym>-style regular
3090+
expressions.
3091+
</para>
3092+
3093+
<para>
3094+
<function>LIKE</function> searches, being much simpler than the other
3095+
two options, are safer to use with possibly-hostile pattern sources.
3096+
</para>
3097+
</caution>
3098+
30773099
<sect2 id="functions-like">
30783100
<title><function>LIKE</function></title>
30793101

0 commit comments

Comments
 (0)
0