Sort out paired double quotes in \connect, \password and \crosstabview.

In arguments, these meta-commands wrongly treated each pair as closing
the double quoted string.  Make the behavior match the documentation.
This is a compatibility break, but I more expect to find software with
untested reliance on the documented behavior than software reliant on
today's behavior.  Back-patch to 9.1 (all supported versions).

Reviewed by Tom Lane and Peter Eisentraut.

Security: CVE-2016-5424

diff --git a/src/bin/psql/psqlscan.l b/src/bin/psql/psqlscan.l
index 8cef0f248f0a8d4b0a73a486376e4f432536e617..303ce4d3b9fb0343a3f0d7f3e44c6b028d24a0ea 100644 (file)
--- a/src/bin/psql/psqlscan.l
+++ b/src/bin/psql/psqlscan.l
@@ -1616,7 +1616,8 @@ psql_scan_slash_option(PsqlScanState state,
                                                        /* Keep the first quote, remove the second */
                                                        cp++;
                                                }
-                                               inquotes = !inquotes;
+                                               else
+                                                       inquotes = !inquotes;
                                                /* Collapse out quote at *cp */
                                                memmove(cp, cp + 1, strlen(cp));
                                                mybuf.len--;