Re: Need help with quote escaping in exim for postgresql

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: Marc Haber <mh+pgsql-general(at)zugschlus(dot)de>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Need help with quote escaping in exim for postgresql
Date: 2006-07-07 14:53:14
Message-ID: 20060707145314.GD7485@svana.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, Jul 07, 2006 at 03:48:00PM +0200, Marc Haber wrote:
> Hi,
>
> I am the maintainer of Debian's packages for exim4, a powerful and
> versatile Mail Transfer Agent developed in Cambridge and in wide use
> throughout the Free Software Community (http://www.exim.org/)
>
> One of our daemon flavours has PostgreSQL support. Our security guys
> have found a flaw in exim regarding quote escaping for PostgreSQL. The
> bug is filed in Debian's BTS as http://bugs.debian.org/369351 and was
> transferred to exim's Bugzilla installation as
> http://www.exim.org/bugzilla/show_bug.cgi?id=107.

Whether or not the quick fix works for you depends entirly on the
encoding used by the client to talk to the database. If the connection
is encoded using UTF-8 or any of the Latin series, then it will be
fine. The only time it does not work is if the encoding is an encoding
where the quote or backslash character can appear as the second
character of a multibyte char. This doesn't happen with UTF-8 or any
latin encoding.

http://www.postgresql.org/docs/techdocs.50

This bit may be useful also (especially the second point):

There are a number of mitigating factors that may keep particular
applications from being subject to these security risks:

* If application always sends untrusted strings as out-of-line
parameters, instead of embedding them into SQL commands, it is not
vulnerable.
* If client_encoding is a single-byte encoding (e.g., one of the
LATINx family), there is no vulnerability.
* If application cannot pass invalidly encoded data to the server,
there is no vulnerability (this probably includes all Java
applications, for example, because of Java's handling of Unicode
strings).

The easiest may be to simply always set the client encoding to
something like UTF-8 and work the escaping rules so they work with
that.

Hope this helps,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Kenneth Downs 2006-07-07 14:58:25 Re: Version/Change Management of functions?
Previous Message Mark Stosberg 2006-07-07 14:44:17 Addressing: ERROR: could not access status of transaction