From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE> |
Cc: | Joe Conway <joseph(dot)conway(at)home(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Escaping strings for inclusion into SQL queriesh |
Date: | 2001-09-13 17:00:26 |
Message-ID: | 200109131700.f8DH0Qk26700@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Patch applied. Thanks.
> "Joe Conway" <joseph(dot)conway(at)home(dot)com> writes:
>
> > I found a problem with PQescapeString (I think). Since it escapes
> > null bytes to be literally '\0', the following can happen:
> > 1. User inputs string value as "<null byte>##" where ## are digits in the
> > range of 0 to 7.
> > 2. PQescapeString converts this to "\0##"
> > 3. Escaped string is used in a context that causes "\0##" to be evaluated as
> > an octal escape sequence.
>
> I agree that this is a problem, though it is not possible to do
> anything harmful with it. In addition, it only occurs if there are
> any NUL characters in its input, which is very unlikely if you are
> using C strings.
>
> The patch below addresses the issue by removing escaping of \0
> characters entirely.
>
> > If the goal is to "safely" encode null bytes, and preserve the rest of the
> > string as it was entered, I think the null bytes should be escaped as \\000
> > (note that if you simply use \000 the same string truncation problem
> > occurs).
>
> We can't do that, this would require 4n + 1 bytes of storage for the
> result, breaking the interface.
>
> --
> Florian Weimer Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
> University of Stuttgart http://cert.uni-stuttgart.de/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
>
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Mikheev, Vadim | 2001-09-13 17:01:58 | Re: Index location patch for review (more pgbench resul |
Previous Message | Thurstan R. McDougle | 2001-09-13 16:38:56 | Re: count of occurences PLUS optimisation |