Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZDg1-00H7a1-ST for pgsql-hackers@arkaria.postgresql.org; Wed, 31 Jul 2024 18:03:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sZDg0-00BKKC-Au for pgsql-hackers@arkaria.postgresql.org; Wed, 31 Jul 2024 18:03:52 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZDfz-00BKI2-Sm for pgsql-hackers@lists.postgresql.org; Wed, 31 Jul 2024 18:03:51 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZDfw-002Pvs-QG for pgsql-hackers@lists.postgresql.org; Wed, 31 Jul 2024 18:03:50 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 46VI3kbJ3416374; Wed, 31 Jul 2024 14:03:46 -0400 From: Tom Lane To: Robert Haas cc: Joe Conway , Andrew Dunstan , David Rowley , PostgreSQL Hackers Subject: Re: can we mark upper/lower/textlike functions leakproof? In-reply-to: References: <50d3a76e-afaa-44ed-aef5-6fb7f23cccab@dunslane.net> <5bef8bb0-7a50-4bcf-b052-2a12c3cda0f5@joeconway.com> Comments: In-reply-to Robert Haas message dated "Wed, 31 Jul 2024 13:39:45 -0400" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3416372.1722449026.1@sss.pgh.pa.us> Date: Wed, 31 Jul 2024 14:03:46 -0400 Message-ID: <3416373.1722449026@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Robert Haas writes: > If there are some inputs that cause upper() and lower() to fail and > others that do not, the functions aren't leakproof, because an > attacker can extract information about values that they can't see by > feeding those values into these functions and seeing whether they get > a failure or not. > [ rather exhaustive analysis redacted ] > So in summary, I think upper() is ... pretty close to leakproof. But > if ICU sometimes fails on certain strings, then it isn't. And if the > multi-byte libc path can be made to fail reliably either with really > long strings or with certain choices of the LC_CTYPE locale, then it > isn't. The problem here is that marking these functions leakproof is a promise about a *whole bunch* of code, much of it not under our control; worse, there's no reason to think all that code is stable. A large fraction of it didn't even exist a few versions ago. Even if we could convince ourselves that the possible issues Robert mentions aren't real at the moment, I think marking these leakproof is mighty risky. It's unlikely we'd remember to revisit the marking the next time someone drops a bunch of new code in here. regards, tom lane