Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett

and Dmitry Tkach
 Modified Files:
  Tag: REL7_3_STABLE
 	jdbc/org/postgresql/Driver.java.in
 	jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java

diff --git a/src/interfaces/jdbc/org/postgresql/Driver.java.in b/src/interfaces/jdbc/org/postgresql/Driver.java.in
index 164c1d056b4aec232d461c65324c2a3a3f901387..241c5889de7e2ea1536ecf6ebf47f143696bc925 100644 (file)
--- a/src/interfaces/jdbc/org/postgresql/Driver.java.in
+++ b/src/interfaces/jdbc/org/postgresql/Driver.java.in
@@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver
        }
 
        //The build number should be incremented for every new build
-       private static int m_buildNumber = 111;
+       private static int m_buildNumber = 112;
 
 }

diff --git a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
index 1558e2b50275dfc4211a3be654e57c2f7e4372bf..77f5187d17fb3ea41c2d11877a703c4529a99e10 100644 (file)
--- a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
+++ b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
@@ -8,7 +8,7 @@ import java.util.Vector;
 import org.postgresql.largeobject.*;
 import org.postgresql.util.*;
 
-/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.5 2003/07/22 05:13:05 barry Exp $
+/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.6 2003/07/23 23:34:31 barry Exp $
  * This class defines methods of the jdbc1 specification.  This class is
  * extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2
  * methods.  The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement
@@ -914,7 +914,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
                                sbuf.setLength(0);
                                sbuf.ensureCapacity(x.length());
                                sbuf.append('\'');
-                               escapeString(x, sbuf);
+                               escapeString(x, sbuf, true);
                                sbuf.append('\'');
                                bind(parameterIndex, sbuf.toString(), type);
                        }
@@ -928,18 +928,37 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
                {
                        sbuf.setLength(0);
                        sbuf.ensureCapacity(p_input.length());
-                       escapeString(p_input, sbuf);
+                       escapeString(p_input, sbuf, false);
                        return sbuf.toString();
                }
        }
 
-       private void escapeString(String p_input, StringBuffer p_output) {
+       /*
+        * p_allowStatementTerminator determines if a semi-colon is allowed in the
+        * returned value.  A semi-colon should only be allowed if the resulting 
+        * string will be enclosed in single quotes in a sql string, or will be 
+        * passed by value to the server via a bind thus bypassing the sql parser
+        * on the server.
+        */
+       private void escapeString(String p_input, StringBuffer p_output, boolean p_allowStatementTerminator) {
                for (int i = 0 ; i < p_input.length() ; ++i)
                {
                        char c = p_input.charAt(i);
-                       if (c == '\\' || c == '\'')
-                               p_output.append((char)'\\');
-                       p_output.append(c);
+                       switch (c)
+                       {
+                           case '\\':
+                           case '\'':
+                                       p_output.append('\\');
+                                       p_output.append(c);
+                                       break;
+                           case '\0':
+                                       throw new IllegalArgumentException("\\0 not allowed");
+                           case ';':
+                                       if (!p_allowStatementTerminator)
+                                               throw new IllegalArgumentException("semicolon not allowed");
+                               default:
+                                       p_output.append(c);
+                       }
                }
        }