database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-11 10:01:57 +03:00
Code Activity

Disable the use of Unicode escapes in string constants (U&'') when

Browse Source 
standard_conforming_strings is not on, for security reasons.
This commit is contained in:
Peter Eisentraut
2009-05-05 18:32:17 +00:00
parent 616bceb8cb
commit 40bc4c2605
4 changed files with 76 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/backend/parser/scan.l
View File

@ -24,7 +24,7 @@
* Portions Copyright (c) 1994, Regents of the University of California
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.151 2009/04/19 21:08:54 tgl Exp $
* $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.152 2009/05/05 18:32:17 petere Exp $
*
*-------------------------------------------------------------------------
*/
@ -469,6 +469,11 @@ other .
startlit();
}
{xusstart} {
if (!standard_conforming_strings)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("unsafe use of string constant with Unicode escapes"),
errdetail("String constants with Unicode escapes cannot be used when standard_conforming_strings is off.")));
SET_YYLLOC();
BEGIN(xus);
startlit();

39
src/test/regress/expected/strings.out
View File

@ -22,6 +22,7 @@ ERROR: syntax error at or near "' - third line'"
LINE 3: ' - third line'
^
-- Unicode escapes
SET standard_conforming_strings TO on;
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
data
------
@ -34,6 +35,18 @@ SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
dat\+000061
(1 row)
SELECT U&' \' UESCAPE '!' AS "tricky";
tricky
--------
\
(1 row)
SELECT 'tricky' AS U&"\" UESCAPE '!';
\
--------
tricky
(1 row)
SELECT U&'wrong: \061';
ERROR: invalid Unicode escape value at or near "\061'"
LINE 1: SELECT U&'wrong: \061';
@ -46,6 +59,32 @@ SELECT U&'wrong: +0061' UESCAPE '+';
ERROR: invalid Unicode escape character at or near "+'"
LINE 1: SELECT U&'wrong: +0061' UESCAPE '+';
^
SET standard_conforming_strings TO off;
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
ERROR: unsafe use of string constant with Unicode escapes
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
ERROR: unsafe use of string constant with Unicode escapes
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
SELECT U&' \' UESCAPE '!' AS "tricky";
ERROR: unsafe use of string constant with Unicode escapes
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
SELECT 'tricky' AS U&"\" UESCAPE '!';
\
--------
tricky
(1 row)
SELECT U&'wrong: \061';
ERROR: unsafe use of string constant with Unicode escapes
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
SELECT U&'wrong: \+0061';
ERROR: unsafe use of string constant with Unicode escapes
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
SELECT U&'wrong: +0061' UESCAPE '+';
ERROR: unsafe use of string constant with Unicode escapes
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
RESET standard_conforming_strings;
--
-- test conversions between various string types
-- E021-10 implicit casting among the character data types

19
src/test/regress/sql/strings.sql
View File

@ -17,13 +17,32 @@ SELECT 'first line'
AS "Illegal comment within continuation";
-- Unicode escapes
SET standard_conforming_strings TO on;
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
SELECT U&' \' UESCAPE '!' AS "tricky";
SELECT 'tricky' AS U&"\" UESCAPE '!';
SELECT U&'wrong: \061';
SELECT U&'wrong: \+0061';
SELECT U&'wrong: +0061' UESCAPE '+';
SET standard_conforming_strings TO off;
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
SELECT U&' \' UESCAPE '!' AS "tricky";
SELECT 'tricky' AS U&"\" UESCAPE '!';
SELECT U&'wrong: \061';
SELECT U&'wrong: \+0061';
SELECT U&'wrong: +0061' UESCAPE '+';
RESET standard_conforming_strings;
--
-- test conversions between various string types
-- E021-10 implicit casting among the character data types