From 984e5beb38a7c79a5a9243865d9598c405df17f6 Mon Sep 17 00:00:00 2001
From: Noah Misch <noah@leadboat.com>
Date: Mon, 8 Aug 2016 10:07:46 -0400
Subject: [PATCH] Sort out paired double quotes in \connect, \password and
 \crosstabview.

In arguments, these meta-commands wrongly treated each pair as closing
the double quoted string.  Make the behavior match the documentation.
This is a compatibility break, but I more expect to find software with
untested reliance on the documented behavior than software reliant on
today's behavior.  Back-patch to 9.1 (all supported versions).

Reviewed by Tom Lane and Peter Eisentraut.

Security: CVE-2016-5424
---
 src/bin/psql/psqlscanslash.l                |  3 ++-
 src/test/regress/expected/psql_crosstab.out | 16 ++++++++--------
 src/test/regress/sql/psql_crosstab.sql      |  4 ++--
 3 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/bin/psql/psqlscanslash.l b/src/bin/psql/psqlscanslash.l
index 90854afeb0..86832a8653 100644
--- a/src/bin/psql/psqlscanslash.l
+++ b/src/bin/psql/psqlscanslash.l
@@ -671,7 +671,8 @@ dequote_downcase_identifier(char *str, bool downcase, int encoding)
 				/* Keep the first quote, remove the second */
 				cp++;
 			}
-			inquotes = !inquotes;
+			else
+				inquotes = !inquotes;
 			/* Collapse out quote at *cp */
 			memmove(cp, cp + 1, strlen(cp));
 			/* do not advance cp */
diff --git a/src/test/regress/expected/psql_crosstab.out b/src/test/regress/expected/psql_crosstab.out
index 9be36c4480..b583323a9e 100644
--- a/src/test/regress/expected/psql_crosstab.out
+++ b/src/test/regress/expected/psql_crosstab.out
@@ -46,19 +46,19 @@ SELECT v, to_char(d, 'Mon') AS "month name", EXTRACT(month FROM d) AS num,
 (3 rows)
 
 -- ordered months in vertical header, ordered years in horizontal header
-SELECT EXTRACT(year FROM d) AS year, to_char(d,'Mon') AS "month name",
+SELECT EXTRACT(year FROM d) AS year, to_char(d,'Mon') AS """month"" name",
   EXTRACT(month FROM d) AS month,
   format('sum=%s avg=%s', sum(i), avg(i)::numeric(2,1))
   FROM ctv_data
   GROUP BY EXTRACT(year FROM d), to_char(d,'Mon'), EXTRACT(month FROM d)
 ORDER BY month
-\crosstabview "month name" year format year
- month name |      2014       |      2015      
-------------+-----------------+----------------
- Jan        |                 | sum=3 avg=3.0
- Apr        |                 | sum=10 avg=5.0
- Jul        | sum=5 avg=5.0   | sum=4 avg=4.0
- Dec        | sum=-3 avg=-3.0 | 
+\crosstabview """month"" name" year format year
+ "month" name |      2014       |      2015      
+--------------+-----------------+----------------
+ Jan          |                 | sum=3 avg=3.0
+ Apr          |                 | sum=10 avg=5.0
+ Jul          | sum=5 avg=5.0   | sum=4 avg=4.0
+ Dec          | sum=-3 avg=-3.0 | 
 (4 rows)
 
 -- combine contents vertically into the same cell (V/H duplicates)
diff --git a/src/test/regress/sql/psql_crosstab.sql b/src/test/regress/sql/psql_crosstab.sql
index dff023876b..1237e82f2d 100644
--- a/src/test/regress/sql/psql_crosstab.sql
+++ b/src/test/regress/sql/psql_crosstab.sql
@@ -29,13 +29,13 @@ SELECT v, to_char(d, 'Mon') AS "month name", EXTRACT(month FROM d) AS num,
  \crosstabview v "month name" 4 num
 
 -- ordered months in vertical header, ordered years in horizontal header
-SELECT EXTRACT(year FROM d) AS year, to_char(d,'Mon') AS "month name",
+SELECT EXTRACT(year FROM d) AS year, to_char(d,'Mon') AS """month"" name",
   EXTRACT(month FROM d) AS month,
   format('sum=%s avg=%s', sum(i), avg(i)::numeric(2,1))
   FROM ctv_data
   GROUP BY EXTRACT(year FROM d), to_char(d,'Mon'), EXTRACT(month FROM d)
 ORDER BY month
-\crosstabview "month name" year format year
+\crosstabview """month"" name" year format year
 
 -- combine contents vertically into the same cell (V/H duplicates)
 SELECT v, h, string_agg(c, E'\n') FROM ctv_data GROUP BY v, h ORDER BY 1,2,3
-- 
2.40.0