Add a new GUC parameter backslash_quote, which determines whether the SQL

parser will allow "\'" to be used to represent a literal quote mark.  The
"\'" representation has been deprecated for some time in favor of the
SQL-standard representation "''" (two single quote marks), but it has been
used often enough that just disallowing it immediately won't do.  Hence
backslash_quote allows the settings "on", "off", and "safe_encoding",
the last meaning to allow "\'" only if client_encoding is a valid server
encoding.  That is now the default, and the reason is that in encodings
such as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a
multibyte character, accepting "\'" allows SQL-injection attacks as per
CVE-2006-2314 (further details will be published after release).  The
"on" setting is available for backward compatibility, but it must not be
used with clients that are exposed to untrusted input.

Thanks to Akio Ishida and Yasuo Ohgaki for identifying this security issue.

src/backend/parser/scan.l

@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/parser/scan.l,v 1.111.2.2 2005/08/16 00:48:43 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/scan.l,v 1.111.2.3 2006/05/21 20:11:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -40,6 +40,15 @@ extern YYSTYPE yylval;
 
 static int		xcdepth = 0;	/* depth of nesting in slash-star comments */
 
+/*
+ * GUC variables.  This is a DIRECT violation of the warning given at the
+ * head of gram.y, ie flex/bison code must not depend on any GUC variables;
+ * as such, changing their values can induce very unintuitive behavior.
+ * But we shall have to live with it as a short-term thing until the switch
+ * to SQL-standard string syntax is complete.
+ */
+BackslashQuoteType backslash_quote = BACKSLASH_QUOTE_SAFE_ENCODING;
+
 /*
  * literalbuf is used to accumulate literal values when multiple rules
  * are needed to parse a single literal.  Call startlit to reset buffer
@@ -54,6 +63,7 @@ static int		literalalloc;	/* current allocated buffer size */
 static void addlit(char *ytext, int yleng);
 static void addlitchar(unsigned char ychar);
 static char *litbufdup(void);
+static int	pg_err_position(void);
 
 /*
  * When we parse a token that requires multiple lexer rules to process,
@@ -377,6 +387,17 @@ other			.
 					addlit(yytext, yyleng);
 				}
 <xq>{xqescape}  {
+					if (yytext[1] == '\'')
+					{
+						if (backslash_quote == BACKSLASH_QUOTE_OFF ||
+							(backslash_quote == BACKSLASH_QUOTE_SAFE_ENCODING &&
+							 PG_ENCODING_IS_CLIENT_ONLY(pg_get_client_encoding())))
+							ereport(ERROR,
+									(errcode(ERRCODE_INVALID_USE_OF_ESCAPE_CHARACTER),
+									 errmsg("unsafe use of \\' in a string literal"),
+									 errhint("Use '' to write quotes in strings. \\' is insecure in client-only encodings."),
+									 errposition(pg_err_position())));
+					}
 					addlitchar(unescape_single_char(yytext[1]));
 				}
 <xq>{xqoctesc}  {
@@ -556,14 +577,20 @@ other			.
 
 %%
 
+static int
+pg_err_position(void)
+{
+	const char *loc = token_start ? token_start : yytext;
+
+	/* in multibyte encodings, return index in characters not bytes */
+	return pg_mbstrlen_with_len(scanbuf, loc - scanbuf) + 1;
+}
+
 void
 yyerror(const char *message)
 {
 	const char *loc = token_start ? token_start : yytext;
-	int			cursorpos;
-
-	/* in multibyte encodings, return index in characters not bytes */
-	cursorpos = pg_mbstrlen_with_len(scanbuf, loc - scanbuf) + 1;
+	int			cursorpos = pg_err_position();
 
 	if (*loc == YY_END_OF_BUFFER_CHAR)
 	{

src/backend/utils/misc/guc.c

@@ -10,7 +10,7 @@
  * Written by Peter Eisentraut <peter_e@gmx.net>.
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.4 2006/02/12 22:33:28 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.5 2006/05/21 20:11:58 tgl Exp $
  *
  *--------------------------------------------------------------------
  */
@@ -42,6 +42,7 @@
 #include "optimizer/geqo.h"
 #include "optimizer/paths.h"
 #include "optimizer/prep.h"
+#include "parser/gramparse.h"
 #include "parser/parse_expr.h"
 #include "parser/parse_relation.h"
 #include "parser/scansup.h"
@@ -95,6 +96,8 @@ static const char *assign_msglvl(int *var, const char *newval,
 			  bool doit, bool interactive);
 static const char *assign_log_error_verbosity(const char *newval, bool doit,
 						   bool interactive);
+static const char *assign_backslash_quote(const char *newval, bool doit,
+										  bool interactive);
 static bool assign_phony_autocommit(bool newval, bool doit, bool interactive);
 
 
@@ -144,6 +147,7 @@ static char *log_min_error_statement_str;
 static bool phony_autocommit;
 static bool session_auth_is_superuser;
 static double phony_random_seed;
+static char *backslash_quote_string;
 static char *client_encoding_string;
 static char *datestyle_string;
 static char *default_iso_level_string;
@@ -1281,6 +1285,15 @@ static struct config_real ConfigureNamesReal[] =
 
 static struct config_string ConfigureNamesString[] =
 {
+	{
+		{"backslash_quote", PGC_USERSET, COMPAT_OPTIONS_PREVIOUS,
+			gettext_noop("Sets whether \"\\'\" is allowed in string literals."),
+			gettext_noop("Valid values are ON, OFF, and SAFE_ENCODING.")
+		},
+		&backslash_quote_string,
+		"safe_encoding", assign_backslash_quote, NULL
+	},
+
 	{
 		{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the client's character set encoding."),
@@ -4374,6 +4387,32 @@ assign_log_error_verbosity(const char *newval, bool doit, bool interactive)
 	return newval;				/* OK */
 }
 
+static const char *
+assign_backslash_quote(const char *newval, bool doit, bool interactive)
+{
+	BackslashQuoteType bq;
+	bool	bqbool;
+
+	/*
+	 * Although only "on", "off", and "safe_encoding" are documented,
+	 * we use parse_bool so we can accept all the likely variants of
+	 * "on" and "off".
+	 */
+	if (strcasecmp(newval, "safe_encoding") == 0)
+		bq = BACKSLASH_QUOTE_SAFE_ENCODING;
+	else if (parse_bool(newval, &bqbool))
+	{
+		bq = bqbool ? BACKSLASH_QUOTE_ON : BACKSLASH_QUOTE_OFF;
+	}
+	else
+		return NULL;			/* reject */
+
+	if (doit)
+		backslash_quote = bq;
+
+	return newval;
+}
+
 static bool
 assign_phony_autocommit(bool newval, bool doit, bool interactive)
 {

src/backend/utils/misc/postgresql.conf.sample

@@ -247,6 +247,7 @@
 # - Previous Postgres Versions -
 
 #add_missing_from = true
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
 #regex_flavor = advanced	# advanced, extended, or basic
 #sql_inheritance = true