| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE> |
| Cc: | Joe Conway <joseph(dot)conway(at)home(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Escaping strings for inclusion into SQL queries |
| Date: | 2001-09-12 04:20:31 |
| Message-ID: | 200109120420.f8C4KVf28273@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I think we need this patch. Bytea encoding will be changed to accept
\000 rather than \0 for the same reason. I also agree that the libpq
enescaping of a C string doesn't need to deal with NULL like bytea does.
Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
> "Joe Conway" <joseph(dot)conway(at)home(dot)com> writes:
>
> > I found a problem with PQescapeString (I think). Since it escapes
> > null bytes to be literally '\0', the following can happen:
> > 1. User inputs string value as "<null byte>##" where ## are digits in the
> > range of 0 to 7.
> > 2. PQescapeString converts this to "\0##"
> > 3. Escaped string is used in a context that causes "\0##" to be evaluated as
> > an octal escape sequence.
>
> I agree that this is a problem, though it is not possible to do
> anything harmful with it. In addition, it only occurs if there are
> any NUL characters in its input, which is very unlikely if you are
> using C strings.
>
> The patch below addresses the issue by removing escaping of \0
> characters entirely.
>
> > If the goal is to "safely" encode null bytes, and preserve the rest of the
> > string as it was entered, I think the null bytes should be escaped as \\000
> > (note that if you simply use \000 the same string truncation problem
> > occurs).
>
> We can't do that, this would require 4n + 1 bytes of storage for the
> result, breaking the interface.
>
> --
> Florian Weimer Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
> University of Stuttgart http://cert.uni-stuttgart.de/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
>
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2001-09-12 04:30:21 | Re: [JDBC] Patch for doc/jdbc.sgml |
| Previous Message | Bruce Momjian | 2001-09-12 04:01:52 | Re: [HACKERS] to_char and Roman Numeral (RN) bug |