Panic on a DataRow with fewer fields than columns allows denial of service
A malicious or compromised server can send a row containing fewer fields than
its row description declares columns. Reading one of the missing columns then
panics with an out-of-bounds index, aborting the calling task. This affects even
the otherwise non-panicking try_get, and both Row and SimpleQueryRow.
Applications that connect only to a trusted database are not exposed; the risk
applies to clients that may connect to untrusted or user-supplied servers, or
whose connection can be intercepted by a man-in-the-middle.
See advisory page for additional details.
tokio-postgres0.7.15>=0.7.18<0.4.0A malicious or compromised server can send a row containing fewer fields than
its row description declares columns. Reading one of the missing columns then
panics with an out-of-bounds index, aborting the calling task. This affects even
the otherwise non-panicking
try_get, and bothRowandSimpleQueryRow.Applications that connect only to a trusted database are not exposed; the risk
applies to clients that may connect to untrusted or user-supplied servers, or
whose connection can be intercepted by a man-in-the-middle.
See advisory page for additional details.