Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett

and Dmitry Tkach Modified Files: Tag: REL7_3_STABLE jdbc/org/postgresql/Driver.java.in jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
2025-09-08 00:47:37 +03:00 · 2003-07-23 23:34:31 +00:00
parent 97dcee285b
commit 83bc9b9d2e
2 changed files with 27 additions and 8 deletions
--- a/src/interfaces/jdbc/org/postgresql/Driver.java.in
+++ b/src/interfaces/jdbc/org/postgresql/Driver.java.in
@@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver
 	}

 	//The build number should be incremented for every new build
-	private static int m_buildNumber = 111;
+	private static int m_buildNumber = 112;

 }
--- a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
+++ b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
@@ -8,7 +8,7 @@ import java.util.Vector;
 import org.postgresql.largeobject.*;
 import org.postgresql.util.*;

-/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.5 2003/07/22 05:13:05 barry Exp $
+/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.6 2003/07/23 23:34:31 barry Exp $
 * This class defines methods of the jdbc1 specification.  This class is
 * extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2
 * methods.  The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement
@@ -914,7 +914,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
 				sbuf.setLength(0);
 				sbuf.ensureCapacity(x.length());
 				sbuf.append('\'');
-				escapeString(x, sbuf);
+				escapeString(x, sbuf, true);
 				sbuf.append('\'');
 				bind(parameterIndex, sbuf.toString(), type);
 			}
@@ -928,18 +928,37 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
 		{
 			sbuf.setLength(0);
 			sbuf.ensureCapacity(p_input.length());
-			escapeString(p_input, sbuf);
+			escapeString(p_input, sbuf, false);
 			return sbuf.toString();
 		}
 	}

-	private void escapeString(String p_input, StringBuffer p_output) {
+	/*
+	 * p_allowStatementTerminator determines if a semi-colon is allowed in the
+	 * returned value.  A semi-colon should only be allowed if the resulting 
+	 * string will be enclosed in single quotes in a sql string, or will be 
+	 * passed by value to the server via a bind thus bypassing the sql parser
+	 * on the server.
+	 */
+	private void escapeString(String p_input, StringBuffer p_output, boolean p_allowStatementTerminator) {
 		for (int i = 0 ; i < p_input.length() ; ++i)
 		{
 			char c = p_input.charAt(i);
-			if (c == '\\' || c == '\'')
-				p_output.append((char)'\\');
-			p_output.append(c);
+			switch (c)
+			{
+			    case '\\':
+			    case '\'':
+					p_output.append('\\');
+					p_output.append(c);
+					break;
+			    case '\0':
+					throw new IllegalArgumentException("\\0 not allowed");
+			    case ';':
+					if (!p_allowStatementTerminator)
+						throw new IllegalArgumentException("semicolon not allowed");
+				default:
+					p_output.append(c);
+			}
 		}
 	}