Fixes additional sql injection vulnerabilities reported by Oliver Jowett

and Dmitry Tkach.  Specifically the previous fix still allowed the statement termination character through in unquoted places in the sql statement, and the driver never correctly handled someone passing a value of \0 in a string which under the v2 protocol would end the statement causing the following text to possibly
be treated as a new sql statement
 Modified Files:
 	jdbc/org/postgresql/Driver.java.in
 	jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java

diff --git a/src/interfaces/jdbc/org/postgresql/Driver.java.in b/src/interfaces/jdbc/org/postgresql/Driver.java.in
index 16f0d99c06eea61e5ebb052a14bcd3537217bcd1..27558e69ed59c8ccd2878198f9cba29f1e3d9c5f 100644 (file)
--- a/src/interfaces/jdbc/org/postgresql/Driver.java.in
+++ b/src/interfaces/jdbc/org/postgresql/Driver.java.in
@@ -6,7 +6,7 @@
  * Copyright (c) 2003, PostgreSQL Global Development Group
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/Attic/Driver.java.in,v 1.33 2003/07/22 05:17:09 barry Exp $
+ *       $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/Attic/Driver.java.in,v 1.34 2003/07/24 00:30:38 barry Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -503,6 +503,6 @@ public class Driver implements java.sql.Driver
 
 
        //The build number should be incremented for every new build
-       private static int m_buildNumber = 207;
+       private static int m_buildNumber = 208;
 
 }

diff --git a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
index c8af729b9aae517c827055fa6ba8b3a11f0d9a4d..9d4407399e6cff0b1c9b07264b9b6ddc2dfb6fb6 100644 (file)
--- a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
+++ b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
@@ -25,7 +25,7 @@ import java.sql.Timestamp;
 import java.sql.Types;
 import java.util.Vector;
 
-/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.28 2003/07/22 05:17:09 barry Exp $
+/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.29 2003/07/24 00:30:39 barry Exp $
  * This class defines methods of the jdbc1 specification.  This class is
  * extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2
  * methods.  The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement
@@ -1036,7 +1036,7 @@ public abstract class AbstractJdbc1Statement implements BaseStatement
                                sbuf.setLength(0);
                                sbuf.ensureCapacity(x.length() + (int)(x.length() / 10));
                                sbuf.append('\'');
-                               escapeString(x, sbuf);
+                               escapeString(x, sbuf, true);
                                sbuf.append('\'');
                                bind(parameterIndex, sbuf.toString(), type);
                        }
@@ -1050,18 +1050,30 @@ public abstract class AbstractJdbc1Statement implements BaseStatement
         {
             sbuf.setLength(0);
             sbuf.ensureCapacity(p_input.length());
-            escapeString(p_input, sbuf);
+            escapeString(p_input, sbuf, false);
             return sbuf.toString();
         }
     }
 
-    private void escapeString(String p_input, StringBuffer p_output) {
+    private void escapeString(String p_input, StringBuffer p_output, boolean p_allowStatementTerminator) {
         for (int i = 0 ; i < p_input.length() ; ++i)
         {
             char c = p_input.charAt(i);
-            if (c == '\\' || c == '\'')
-                p_output.append((char)'\\');
-            p_output.append(c);
+                       switch (c)
+                       {
+                           case '\\':
+                           case '\'':
+                                       p_output.append('\\');
+                                       p_output.append(c);
+                                       break;
+                           case '\0':
+                                       throw new IllegalArgumentException("\\0 not allowed");
+                           case ';':
+                                       if (!p_allowStatementTerminator)
+                                               throw new IllegalArgumentException("semicolon not allowed");
+                               default:
+                                       p_output.append(c);
+                       }
         }
     }