database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-08-12 15:23:02 +03:00
Code Activity

Fix to prevent SQL injection attacks when calling setObject(int,Object,int)

Browse Source 
where the Object is a String and the type is numeric (i.e. INTEGER,LONG,etc).
The fix applies the standard escaping for these values.

 Modified Files:
  Tag: REL7_3_STABLE
 	jdbc/org/postgresql/Driver.java.in
 	jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
This commit is contained in:
Barry Lind
2003-07-22 05:13:05 +00:00
parent 004d2be5d9
commit 5d882f78ae
2 changed files with 32 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/interfaces/jdbc/org/postgresql/Driver.java.in
View File

@@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver
} }
//The build number should be incremented for every new build //The build number should be incremented for every new build
private static int m_buildNumber = 110; private static int m_buildNumber = 111;
} }

51
src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
View File

@@ -8,7 +8,7 @@ import java.util.Vector;
import org.postgresql.largeobject.*; import org.postgresql.largeobject.*;
import org.postgresql.util.*; import org.postgresql.util.*;
/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.4 2003/04/17 04:19:55 barry Exp $ /* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.5 2003/07/22 05:13:05 barry Exp $
* This class defines methods of the jdbc1 specification. This class is * This class defines methods of the jdbc1 specification. This class is
* extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2 * extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2
* methods. The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement * methods. The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement
@@ -913,22 +913,36 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
{ {
sbuf.setLength(0); sbuf.setLength(0);
sbuf.ensureCapacity(x.length()); sbuf.ensureCapacity(x.length());
int i;
sbuf.append('\''); sbuf.append('\'');
for (i = 0 ; i < x.length() ; ++i) escapeString(x, sbuf);
{
char c = x.charAt(i);
if (c == '\\' || c == '\'')
sbuf.append((char)'\\');
sbuf.append(c);
}
sbuf.append('\''); sbuf.append('\'');
bind(parameterIndex, sbuf.toString(), type); bind(parameterIndex, sbuf.toString(), type);
} }
} }
} }
private String escapeString(String p_input) {
// use the shared buffer object. Should never clash but this makes
// us thread safe!
synchronized (sbuf)
{
sbuf.setLength(0);
sbuf.ensureCapacity(p_input.length());
escapeString(p_input, sbuf);
return sbuf.toString();
}
}
private void escapeString(String p_input, StringBuffer p_output) {
for (int i = 0 ; i < p_input.length() ; ++i)
{
char c = p_input.charAt(i);
if (c == '\\' || c == '\'')
p_output.append((char)'\\');
p_output.append(c);
}
}
/* /*
* Set a parameter to a Java array of bytes. The driver converts this * Set a parameter to a Java array of bytes. The driver converts this
* to a SQL VARBINARY or LONGVARBINARY (depending on the argument's * to a SQL VARBINARY or LONGVARBINARY (depending on the argument's
@@ -1342,7 +1356,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
switch (targetSqlType) switch (targetSqlType)
{ {
case Types.INTEGER: case Types.INTEGER:
bind(parameterIndex, x.toString(), PG_INTEGER); bind(parameterIndex, escapeString(x.toString()), PG_INTEGER);
break; break;
case Types.TINYINT: case Types.TINYINT:
case Types.SMALLINT: case Types.SMALLINT:
@@ -1355,7 +1369,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
if (x instanceof Boolean) if (x instanceof Boolean)
bind(parameterIndex, ((Boolean)x).booleanValue() ? "1" : "0", PG_BOOLEAN); bind(parameterIndex, ((Boolean)x).booleanValue() ? "1" : "0", PG_BOOLEAN);
else else
bind(parameterIndex, x.toString(), PG_NUMERIC); bind(parameterIndex, escapeString(x.toString()), PG_NUMERIC);
break; break;
case Types.CHAR: case Types.CHAR:
case Types.VARCHAR: case Types.VARCHAR:
@@ -1763,15 +1777,12 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
} }
/* /*
* There are a lot of setXXX classes which all basically do * Note if s is a String it should be escaped by the caller to avoid SQL
* the same thing. We need a method which actually does the * injection attacks. It is not done here for efficency reasons as
* set for us. * most calls to this method do not require escaping as the source
* * of the string is known safe (i.e. Integer.toString())
* @param paramIndex the index into the inString
* @param s a string to be stored
* @exception SQLException if something goes wrong
*/ */
protected void bind(int paramIndex, Object s, String type) throws SQLException private void bind(int paramIndex, Object s, String type) throws SQLException
{ {
if (paramIndex < 1 || paramIndex > m_binds.length) if (paramIndex < 1 || paramIndex > m_binds.length)
throw new PSQLException("postgresql.prep.range"); throw new PSQLException("postgresql.prep.range");