BUG #14998: XXS vulnerabilities in PostgreSQL 'utf8 4-byte truncation'

On 2018-01-04 04:19:19 +0000, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference: 14998
Logged by: Thu Luu
Email address: ltthu2810@gmail.com
PostgreSQL version: 9.6.2
Operating system: CentOs 6.x
Description:

My application uses the Postgresql 9.6.2. But, when I use the tool to scan
the vulnerabilities. There are some errors related to DB: 'MYSQL utf8 4-byte
truncation'.
Refer:
https://www.acunetix.com/vulnerabilities/web/mysql-utf8-4-byte-truncation

Postgres is not mysql, and to my knowledge does not suffer from an
equivalent vulnerability. So this more looks like a weakness in your
scanning tool.

Greetings,

Andres Freund

Hi Andres,

My application uses PostgreSQL 9.6.2:

[image: Inline image 1]

When we try inputing to my application as the below:
[image: Inline image 3]
The result:
[image: Inline image 5]
=> That is WordPress < 4.1.2 Stored XSS vulnerability
<https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/&gt;.

As far as I know, this error is fixed by using MySQL's strict mode. For
PostgreSQL, can there be any other way?

We appreciate your help in this matter and look forward to hearing from you
soon.

Thanks,
Thu Luu

On Thu, Jan 4, 2018 at 11:22 AM, Andres Freund <andres@anarazel.de> wrote:

Hi!
I do not understand what your problem is. UTF8 character may be 4 bytes long by standart. Postgresql can store this characters. Mysql - for history reasons - treat utf8 as at most 3 byte characters and is not fully unicode compatible. In mysql 5.5 was added utf8mb4 charset which is full unicode compatible and can store 4 byte characters ( https://dev.mysql.com/doc/refman/5.5/en/charset-unicode-utf8mb4.html ). Discarding or correct storing 4-byte symbols is not vulnerabilities, just historical error in mysql.

PS: given link is broken due outdated https cert.