From 5547e2c559fa652eb7c93ab1b5b589c7b9d550a8 Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Fri, 30 Jun 2006 13:57:46 +0000 Subject: Change ${quote_pgsql to quote ' as '' instead of \' because of a security issue. --- src/src/lookups/pgsql.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/src/lookups/pgsql.c b/src/src/lookups/pgsql.c index 207422c6d..caefeef18 100644 --- a/src/src/lookups/pgsql.c +++ b/src/src/lookups/pgsql.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/lookups/pgsql.c,v 1.4 2006/02/07 11:19:01 ph10 Exp $ */ +/* $Cambridge: exim/src/src/lookups/pgsql.c,v 1.5 2006/06/30 13:57:46 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -422,6 +422,16 @@ to allow escaping "on spec". If you use something like "where id="ab\%cd" it does treat the string as "ab%cd". So we can safely quote percent and underscore. [This is different to MySQL, where you can't do this.] +The original code quoted single quotes as \' which is documented as valid in +the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to +the SQL standard '' way of representing a single quote as data. However, in +June 2006 there was some security issue with using \' and so this has been +changed. + +[Note: There is a function called PQescapeStringConn() that quotes strings. +This cannot be used because it needs a PGconn argument (the connection handle). +Why, I don't know. Seems odd for just string escaping...] + Arguments: s the string to be quoted opt additional option text or NULL if none @@ -447,7 +457,12 @@ t = quoted = store_get(Ustrlen(s) + count + 1); while ((c = *s++) != 0) { - if (Ustrchr("\n\t\r\b\'\"\\%_", c) != NULL) + if (c == '\'') + { + *t++ = '\''; + *t++ = '\''; + } + else if (Ustrchr("\n\t\r\b\"\\%_", c) != NULL) { *t++ = '\\'; switch(c) -- cgit v1.2.3