[Pgpool-hackers] query cache specification: possible security issue

[Tatsuo Ishii]

> On 06/22/2011 01:11 AM, Tatsuo Ishii wrote:
>> IMO because pgpool executes query in the same search_path, it's no
>> problem as long as the user does not change search_path dynamically.
>>
>> If the user changes search_path dynamically, we could use
>> md5(username+search_path+query_string+database_name). Of course this
>> requires additional database inquire on search_path. Do we need this?
> I think this is just a documentation issue.
> 
> For possible security issues: shouldn't there be a secret value in the
> key? Maybe this is a bit theoretical, but: MD5 isn't too strong, so if
> one knows the username, database_name and query_string of a privileged
> query, it is probably possible to create a collision using a query
> like:
> select * from test where val = 'cause collision using this text';
> 
> If there is a secret value in the key, causing a collision is not
> possible as the attacker does not know the MD5 of the cache key.

What about verifying username? I mean:

1) Cache key is md5(username+query_string+database_name). Also we keep
   username in the cached data.

2) If cached query found, extract username from the cache data. Make
   sure that current username = the extracted username.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp