From: | barry(at)svr1(dot)postgresql(dot)org (Barry Lind) |
---|---|
To: | pgsql-committers(at)postgresql(dot)org |
Subject: | pgsql-server/src/interfaces/jdbc/org/postgresq ... |
Date: | 2003-07-24 00:30:39 |
Message-ID: | 20030724003039.356CFD1C970@svr1.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
CVSROOT: /cvsroot
Module name: pgsql-server
Changes by: barry(at)svr1(dot)postgresql(dot)org 03/07/23 21:30:39
Modified files:
src/interfaces/jdbc/org/postgresql: Driver.java.in
src/interfaces/jdbc/org/postgresql/jdbc1:
AbstractJdbc1Statement.java
Log message:
Fixes additional sql injection vulnerabilities reported by Oliver Jowett
and Dmitry Tkach. Specifically the previous fix still allowed the statement termination character through in unquoted places in the sql statement, and the driver never correctly handled someone passing a value of \0 in a string which under the v2 protocol would end the statement causing the following text to possibly
be treated as a new sql statement
Modified Files:
jdbc/org/postgresql/Driver.java.in
jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2003-07-24 00:43:53 | pgsql-server/doc/src/sgml release.sgml |
Previous Message | Tom Lane | 2003-07-24 00:21:32 | pgsql-server/src/backend/utils/adt Tag: REL7_3 ... |