From 40bc4c260508e8a2579bd2106e1f81b6795d147b Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Tue, 5 May 2009 18:32:17 +0000 Subject: [PATCH] Disable the use of Unicode escapes in string constants (U&'') when standard_conforming_strings is not on, for security reasons. --- doc/src/sgml/syntax.sgml | 13 ++++++++- src/backend/parser/scan.l | 7 ++++- src/test/regress/expected/strings.out | 39 +++++++++++++++++++++++++++ src/test/regress/sql/strings.sql | 19 +++++++++++++ 4 files changed, 76 insertions(+), 2 deletions(-) diff --git a/doc/src/sgml/syntax.sgml b/doc/src/sgml/syntax.sgml index 48bf5a4feb..cf929f0b72 100644 --- a/doc/src/sgml/syntax.sgml +++ b/doc/src/sgml/syntax.sgml @@ -1,4 +1,4 @@ - + SQL Syntax @@ -499,6 +499,17 @@ U&'d!0061t!+000061' UESCAPE '!' specified. + + Also, the Unicode escape syntax for string constants only works + when the configuration + parameter is + turned on. This is because otherwise this syntax could confuse + clients that parse the SQL statements to the point that it could + lead to SQL injections and similar security issues. If the + parameter is set to off, this syntax will be rejected with an + error message. + + To include the escape character in the string literally, write it twice. diff --git a/src/backend/parser/scan.l b/src/backend/parser/scan.l index 8551cd2753..eb0fc10c8f 100644 --- a/src/backend/parser/scan.l +++ b/src/backend/parser/scan.l @@ -24,7 +24,7 @@ * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.151 2009/04/19 21:08:54 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.152 2009/05/05 18:32:17 petere Exp $ * *------------------------------------------------------------------------- */ @@ -469,6 +469,11 @@ other . startlit(); } {xusstart} { + if (!standard_conforming_strings) + ereport(ERROR, + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("unsafe use of string constant with Unicode escapes"), + errdetail("String constants with Unicode escapes cannot be used when standard_conforming_strings is off."))); SET_YYLLOC(); BEGIN(xus); startlit(); diff --git a/src/test/regress/expected/strings.out b/src/test/regress/expected/strings.out index 6b9dc5df9f..831fb9e203 100644 --- a/src/test/regress/expected/strings.out +++ b/src/test/regress/expected/strings.out @@ -22,6 +22,7 @@ ERROR: syntax error at or near "' - third line'" LINE 3: ' - third line' ^ -- Unicode escapes +SET standard_conforming_strings TO on; SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061"; data ------ @@ -34,6 +35,18 @@ SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*'; dat\+000061 (1 row) +SELECT U&' \' UESCAPE '!' AS "tricky"; + tricky +-------- + \ +(1 row) + +SELECT 'tricky' AS U&"\" UESCAPE '!'; + \ +-------- + tricky +(1 row) + SELECT U&'wrong: \061'; ERROR: invalid Unicode escape value at or near "\061'" LINE 1: SELECT U&'wrong: \061'; @@ -46,6 +59,32 @@ SELECT U&'wrong: +0061' UESCAPE '+'; ERROR: invalid Unicode escape character at or near "+'" LINE 1: SELECT U&'wrong: +0061' UESCAPE '+'; ^ +SET standard_conforming_strings TO off; +SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061"; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*'; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT U&' \' UESCAPE '!' AS "tricky"; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT 'tricky' AS U&"\" UESCAPE '!'; + \ +-------- + tricky +(1 row) + +SELECT U&'wrong: \061'; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT U&'wrong: \+0061'; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT U&'wrong: +0061' UESCAPE '+'; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +RESET standard_conforming_strings; -- -- test conversions between various string types -- E021-10 implicit casting among the character data types diff --git a/src/test/regress/sql/strings.sql b/src/test/regress/sql/strings.sql index 0da88c7b29..a28c75ac04 100644 --- a/src/test/regress/sql/strings.sql +++ b/src/test/regress/sql/strings.sql @@ -17,13 +17,32 @@ SELECT 'first line' AS "Illegal comment within continuation"; -- Unicode escapes +SET standard_conforming_strings TO on; + +SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061"; +SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*'; + +SELECT U&' \' UESCAPE '!' AS "tricky"; +SELECT 'tricky' AS U&"\" UESCAPE '!'; + +SELECT U&'wrong: \061'; +SELECT U&'wrong: \+0061'; +SELECT U&'wrong: +0061' UESCAPE '+'; + +SET standard_conforming_strings TO off; + SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061"; SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*'; +SELECT U&' \' UESCAPE '!' AS "tricky"; +SELECT 'tricky' AS U&"\" UESCAPE '!'; + SELECT U&'wrong: \061'; SELECT U&'wrong: \+0061'; SELECT U&'wrong: +0061' UESCAPE '+'; +RESET standard_conforming_strings; + -- -- test conversions between various string types -- E021-10 implicit casting among the character data types -- 2.40.0