mirror of
https://github.com/postgres/postgres.git
synced 2025-05-01 01:04:50 +03:00
Disable the use of Unicode escapes in string constants (U&'') when
standard_conforming_strings is not on, for security reasons.
This commit is contained in:
Peter Eisentraut
parent
616bceb8cb
commit
40bc4c2605
@ -1,4 +1,4 @@
|
|||||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.131 2009/04/27 16:27:36 momjian Exp $ -->
|
<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.132 2009/05/05 18:32:17 petere Exp $ -->
|
||||||
|
|
||||||
<chapter id="sql-syntax">
|
<chapter id="sql-syntax">
|
||||||
<title>SQL Syntax</title>
|
<title>SQL Syntax</title>
|
||||||
@ -499,6 +499,17 @@ U&'d!0061t!+000061' UESCAPE '!'
|
|||||||
specified.
|
specified.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
Also, the Unicode escape syntax for string constants only works
|
||||||
|
when the configuration
|
||||||
|
parameter <xref linkend="guc-standard-conforming-strings"> is
|
||||||
|
turned on. This is because otherwise this syntax could confuse
|
||||||
|
clients that parse the SQL statements to the point that it could
|
||||||
|
lead to SQL injections and similar security issues. If the
|
||||||
|
parameter is set to off, this syntax will be rejected with an
|
||||||
|
error message.
|
||||||
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
To include the escape character in the string literally, write it
|
To include the escape character in the string literally, write it
|
||||||
twice.
|
twice.
|
||||||
|
|||||||
@ -24,7 +24,7 @@
|
|||||||
* Portions Copyright (c) 1994, Regents of the University of California
|
* Portions Copyright (c) 1994, Regents of the University of California
|
||||||
*
|
*
|
||||||
* IDENTIFICATION
|
* IDENTIFICATION
|
||||||
* $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.151 2009/04/19 21:08:54 tgl Exp $
|
* $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.152 2009/05/05 18:32:17 petere Exp $
|
||||||
*
|
*
|
||||||
*-------------------------------------------------------------------------
|
*-------------------------------------------------------------------------
|
||||||
*/
|
*/
|
||||||
@ -469,6 +469,11 @@ other .
|
|||||||
startlit();
|
startlit();
|
||||||
}
|
}
|
||||||
{xusstart} {
|
{xusstart} {
|
||||||
|
if (!standard_conforming_strings)
|
||||||
|
ereport(ERROR,
|
||||||
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
||||||
|
errmsg("unsafe use of string constant with Unicode escapes"),
|
||||||
|
errdetail("String constants with Unicode escapes cannot be used when standard_conforming_strings is off.")));
|
||||||
SET_YYLLOC();
|
SET_YYLLOC();
|
||||||
BEGIN(xus);
|
BEGIN(xus);
|
||||||
startlit();
|
startlit();
|
||||||
|
|||||||
@ -22,6 +22,7 @@ ERROR: syntax error at or near "' - third line'"
|
|||||||
LINE 3: ' - third line'
|
LINE 3: ' - third line'
|
||||||
^
|
^
|
||||||
-- Unicode escapes
|
-- Unicode escapes
|
||||||
|
SET standard_conforming_strings TO on;
|
||||||
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
||||||
data
|
data
|
||||||
------
|
------
|
||||||
@ -34,6 +35,18 @@ SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
|||||||
dat\+000061
|
dat\+000061
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
|
SELECT U&' \' UESCAPE '!' AS "tricky";
|
||||||
|
tricky
|
||||||
|
--------
|
||||||
|
\
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
SELECT 'tricky' AS U&"\" UESCAPE '!';
|
||||||
|
\
|
||||||
|
--------
|
||||||
|
tricky
|
||||||
|
(1 row)
|
||||||
|
|
||||||
SELECT U&'wrong: \061';
|
SELECT U&'wrong: \061';
|
||||||
ERROR: invalid Unicode escape value at or near "\061'"
|
ERROR: invalid Unicode escape value at or near "\061'"
|
||||||
LINE 1: SELECT U&'wrong: \061';
|
LINE 1: SELECT U&'wrong: \061';
|
||||||
@ -46,6 +59,32 @@ SELECT U&'wrong: +0061' UESCAPE '+';
|
|||||||
ERROR: invalid Unicode escape character at or near "+'"
|
ERROR: invalid Unicode escape character at or near "+'"
|
||||||
LINE 1: SELECT U&'wrong: +0061' UESCAPE '+';
|
LINE 1: SELECT U&'wrong: +0061' UESCAPE '+';
|
||||||
^
|
^
|
||||||
|
SET standard_conforming_strings TO off;
|
||||||
|
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
||||||
|
ERROR: unsafe use of string constant with Unicode escapes
|
||||||
|
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||||
|
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
||||||
|
ERROR: unsafe use of string constant with Unicode escapes
|
||||||
|
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||||
|
SELECT U&' \' UESCAPE '!' AS "tricky";
|
||||||
|
ERROR: unsafe use of string constant with Unicode escapes
|
||||||
|
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||||
|
SELECT 'tricky' AS U&"\" UESCAPE '!';
|
||||||
|
\
|
||||||
|
--------
|
||||||
|
tricky
|
||||||
|
(1 row)
|
||||||
|
|
||||||
|
SELECT U&'wrong: \061';
|
||||||
|
ERROR: unsafe use of string constant with Unicode escapes
|
||||||
|
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||||
|
SELECT U&'wrong: \+0061';
|
||||||
|
ERROR: unsafe use of string constant with Unicode escapes
|
||||||
|
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||||
|
SELECT U&'wrong: +0061' UESCAPE '+';
|
||||||
|
ERROR: unsafe use of string constant with Unicode escapes
|
||||||
|
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||||
|
RESET standard_conforming_strings;
|
||||||
--
|
--
|
||||||
-- test conversions between various string types
|
-- test conversions between various string types
|
||||||
-- E021-10 implicit casting among the character data types
|
-- E021-10 implicit casting among the character data types
|
||||||
|
|||||||
@ -17,13 +17,32 @@ SELECT 'first line'
|
|||||||
AS "Illegal comment within continuation";
|
AS "Illegal comment within continuation";
|
||||||
|
|
||||||
-- Unicode escapes
|
-- Unicode escapes
|
||||||
|
SET standard_conforming_strings TO on;
|
||||||
|
|
||||||
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
||||||
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
||||||
|
|
||||||
|
SELECT U&' \' UESCAPE '!' AS "tricky";
|
||||||
|
SELECT 'tricky' AS U&"\" UESCAPE '!';
|
||||||
|
|
||||||
SELECT U&'wrong: \061';
|
SELECT U&'wrong: \061';
|
||||||
SELECT U&'wrong: \+0061';
|
SELECT U&'wrong: \+0061';
|
||||||
SELECT U&'wrong: +0061' UESCAPE '+';
|
SELECT U&'wrong: +0061' UESCAPE '+';
|
||||||
|
|
||||||
|
SET standard_conforming_strings TO off;
|
||||||
|
|
||||||
|
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
||||||
|
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
||||||
|
|
||||||
|
SELECT U&' \' UESCAPE '!' AS "tricky";
|
||||||
|
SELECT 'tricky' AS U&"\" UESCAPE '!';
|
||||||
|
|
||||||
|
SELECT U&'wrong: \061';
|
||||||
|
SELECT U&'wrong: \+0061';
|
||||||
|
SELECT U&'wrong: +0061' UESCAPE '+';
|
||||||
|
|
||||||
|
RESET standard_conforming_strings;
|
||||||
|
|
||||||
--
|
--
|
||||||
-- test conversions between various string types
|
-- test conversions between various string types
|
||||||
-- E021-10 implicit casting among the character data types
|
-- E021-10 implicit casting among the character data types
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user