mirror of
https://github.com/postgres/postgres.git
synced 2025-06-11 20:28:21 +03:00
Promote pg_dumpall shell/connstr quoting functions to src/fe_utils.
Rename these newly-extern functions with terms more typical of their new neighbors. No functional changes; a subsequent commit will use them in more places. Back-patch to 9.1 (all supported versions). Back branches lack src/fe_utils, so instead rename the functions in place; the subsequent commit will copy them into the other programs using them. Security: CVE-2016-5424
This commit is contained in:
Noah Misch
@ -378,6 +378,149 @@ appendByteaLiteral(PQExpBuffer buf, const unsigned char *str, size_t length,
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Append the given string to the shell command being built in the buffer,
|
||||
* with suitable shell-style quoting to create exactly one argument.
|
||||
*
|
||||
* Forbid LF or CR characters, which have scant practical use beyond designing
|
||||
* security breaches. The Windows command shell is unusable as a conduit for
|
||||
* arguments containing LF or CR characters. A future major release should
|
||||
* reject those characters in CREATE ROLE and CREATE DATABASE, because use
|
||||
* there eventually leads to errors here.
|
||||
*/
|
||||
void
|
||||
appendShellString(PQExpBuffer buf, const char *str)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
#ifndef WIN32
|
||||
appendPQExpBufferChar(buf, '\'');
|
||||
for (p = str; *p; p++)
|
||||
{
|
||||
if (*p == '\n' || *p == '\r')
|
||||
{
|
||||
fprintf(stderr,
|
||||
_("shell command argument contains a newline or carriage return: \"%s\"\n"),
|
||||
str);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (*p == '\'')
|
||||
appendPQExpBufferStr(buf, "'\"'\"'");
|
||||
else
|
||||
appendPQExpBufferChar(buf, *p);
|
||||
}
|
||||
appendPQExpBufferChar(buf, '\'');
|
||||
#else /* WIN32 */
|
||||
int backslash_run_length = 0;
|
||||
|
||||
/*
|
||||
* A Windows system() argument experiences two layers of interpretation.
|
||||
* First, cmd.exe interprets the string. Its behavior is undocumented,
|
||||
* but a caret escapes any byte except LF or CR that would otherwise have
|
||||
* special meaning. Handling of a caret before LF or CR differs between
|
||||
* "cmd.exe /c" and other modes, and it is unusable here.
|
||||
*
|
||||
* Second, the new process parses its command line to construct argv (see
|
||||
* https://msdn.microsoft.com/en-us/library/17w5ykft.aspx). This treats
|
||||
* backslash-double quote sequences specially.
|
||||
*/
|
||||
appendPQExpBufferStr(buf, "^\"");
|
||||
for (p = str; *p; p++)
|
||||
{
|
||||
if (*p == '\n' || *p == '\r')
|
||||
{
|
||||
fprintf(stderr,
|
||||
_("shell command argument contains a newline or carriage return: \"%s\"\n"),
|
||||
str);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
/* Change N backslashes before a double quote to 2N+1 backslashes. */
|
||||
if (*p == '"')
|
||||
{
|
||||
while (backslash_run_length)
|
||||
{
|
||||
appendPQExpBufferStr(buf, "^\\");
|
||||
backslash_run_length--;
|
||||
}
|
||||
appendPQExpBufferStr(buf, "^\\");
|
||||
}
|
||||
else if (*p == '\\')
|
||||
backslash_run_length++;
|
||||
else
|
||||
backslash_run_length = 0;
|
||||
|
||||
/*
|
||||
* Decline to caret-escape the most mundane characters, to ease
|
||||
* debugging and lest we approach the command length limit.
|
||||
*/
|
||||
if (!((*p >= 'a' && *p <= 'z') ||
|
||||
(*p >= 'A' && *p <= 'Z') ||
|
||||
(*p >= '0' && *p <= '9')))
|
||||
appendPQExpBufferChar(buf, '^');
|
||||
appendPQExpBufferChar(buf, *p);
|
||||
}
|
||||
|
||||
/*
|
||||
* Change N backslashes at end of argument to 2N backslashes, because they
|
||||
* precede the double quote that terminates the argument.
|
||||
*/
|
||||
while (backslash_run_length)
|
||||
{
|
||||
appendPQExpBufferStr(buf, "^\\");
|
||||
backslash_run_length--;
|
||||
}
|
||||
appendPQExpBufferStr(buf, "^\"");
|
||||
#endif /* WIN32 */
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Append the given string to the buffer, with suitable quoting for passing
|
||||
* the string as a value, in a keyword/pair value in a libpq connection
|
||||
* string
|
||||
*/
|
||||
void
|
||||
appendConnStrVal(PQExpBuffer buf, const char *str)
|
||||
{
|
||||
const char *s;
|
||||
bool needquotes;
|
||||
|
||||
/*
|
||||
* If the string consists entirely of plain ASCII characters, no need to
|
||||
* quote it. This is quite conservative, but better safe than sorry.
|
||||
*/
|
||||
needquotes = false;
|
||||
for (s = str; *s; s++)
|
||||
{
|
||||
if (!((*s >= 'a' && *s <= 'z') || (*s >= 'A' && *s <= 'Z') ||
|
||||
(*s >= '0' && *s <= '9') || *s == '_' || *s == '.'))
|
||||
{
|
||||
needquotes = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (needquotes)
|
||||
{
|
||||
appendPQExpBufferChar(buf, '\'');
|
||||
while (*str)
|
||||
{
|
||||
/* ' and \ must be escaped by to \' and \\ */
|
||||
if (*str == '\'' || *str == '\\')
|
||||
appendPQExpBufferChar(buf, '\\');
|
||||
|
||||
appendPQExpBufferChar(buf, *str);
|
||||
str++;
|
||||
}
|
||||
appendPQExpBufferChar(buf, '\'');
|
||||
}
|
||||
else
|
||||
appendPQExpBufferStr(buf, str);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Deconstruct the text representation of a 1-dimensional Postgres array
|
||||
* into individual items.
|
||||
|
||||
Reference in New Issue
Block a user