From: Barry Lind Date: Wed, 23 Jul 2003 23:34:31 +0000 (+0000) Subject: Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett X-Git-Tag: REL7_3_4~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=83bc9b9d2ef0bf934d142a90f777b81fe10119b1;p=postgresql Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett and Dmitry Tkach Modified Files: Tag: REL7_3_STABLE jdbc/org/postgresql/Driver.java.in jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java --- diff --git a/src/interfaces/jdbc/org/postgresql/Driver.java.in b/src/interfaces/jdbc/org/postgresql/Driver.java.in index 164c1d056b..241c5889de 100644 --- a/src/interfaces/jdbc/org/postgresql/Driver.java.in +++ b/src/interfaces/jdbc/org/postgresql/Driver.java.in @@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver } //The build number should be incremented for every new build - private static int m_buildNumber = 111; + private static int m_buildNumber = 112; } diff --git a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java index 1558e2b502..77f5187d17 100644 --- a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java +++ b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java @@ -8,7 +8,7 @@ import java.util.Vector; import org.postgresql.largeobject.*; import org.postgresql.util.*; -/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.5 2003/07/22 05:13:05 barry Exp $ +/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.6 2003/07/23 23:34:31 barry Exp $ * This class defines methods of the jdbc1 specification. This class is * extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2 * methods. The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement @@ -914,7 +914,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme sbuf.setLength(0); sbuf.ensureCapacity(x.length()); sbuf.append('\''); - escapeString(x, sbuf); + escapeString(x, sbuf, true); sbuf.append('\''); bind(parameterIndex, sbuf.toString(), type); } @@ -928,18 +928,37 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme { sbuf.setLength(0); sbuf.ensureCapacity(p_input.length()); - escapeString(p_input, sbuf); + escapeString(p_input, sbuf, false); return sbuf.toString(); } } - private void escapeString(String p_input, StringBuffer p_output) { + /* + * p_allowStatementTerminator determines if a semi-colon is allowed in the + * returned value. A semi-colon should only be allowed if the resulting + * string will be enclosed in single quotes in a sql string, or will be + * passed by value to the server via a bind thus bypassing the sql parser + * on the server. + */ + private void escapeString(String p_input, StringBuffer p_output, boolean p_allowStatementTerminator) { for (int i = 0 ; i < p_input.length() ; ++i) { char c = p_input.charAt(i); - if (c == '\\' || c == '\'') - p_output.append((char)'\\'); - p_output.append(c); + switch (c) + { + case '\\': + case '\'': + p_output.append('\\'); + p_output.append(c); + break; + case '\0': + throw new IllegalArgumentException("\\0 not allowed"); + case ';': + if (!p_allowStatementTerminator) + throw new IllegalArgumentException("semicolon not allowed"); + default: + p_output.append(c); + } } }