database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-08-18 12:22:09 +03:00
Code Activity

Add a new GUC parameter backslash_quote, which determines whether the SQL

Browse Source 
parser will allow "\'" to be used to represent a literal quote mark.  The
"\'" representation has been deprecated for some time in favor of the
SQL-standard representation "''" (two single quote marks), but it has been
used often enough that just disallowing it immediately won't do.  Hence
backslash_quote allows the settings "on", "off", and "safe_encoding",
the last meaning to allow "\'" only if client_encoding is a valid server
encoding.  That is now the default, and the reason is that in encodings
such as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a
multibyte character, accepting "\'" allows SQL-injection attacks as per
CVE-2006-2314 (further details will be published after release).  The
"on" setting is available for backward compatibility, but it must not be
used with clients that are exposed to untrusted input.

Thanks to Akio Ishida and Yasuo Ohgaki for identifying this security issue.
This commit is contained in:
Tom Lane
2006-05-21 20:11:25 +00:00
parent 70794254a1
commit 9bc62ddd5f
6 changed files with 146 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
doc/src/sgml/runtime.sgml
View File

@@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.301.4.7 2005/06/17 16:46:45 momjian Exp $
$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.301.4.8 2006/05/21 20:11:25 tgl Exp $
-->
<chapter id="runtime">
@@ -3490,39 +3490,31 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'
</listitem>
</varlistentry>
<varlistentry id="guc-regex-flavor" xreflabel="regex_flavor">
<term><varname>regex_flavor</varname> (<type>string</type>)</term>
<indexterm><primary>regular expressions</></>
<varlistentry id="guc-backslash-quote" xreflabel="backslash_quote">
<term><varname>backslash_quote</varname> (<type>string</type>)</term>
<indexterm><primary>strings</><secondary>backslash quotes</></>
<indexterm>
<primary><varname>regex_flavor</> configuration parameter</primary>
<primary><varname>backslash_quote</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
The regular expression <quote>flavor</> can be set to
<literal>advanced</>, <literal>extended</>, or <literal>basic</>.
The default is <literal>advanced</>. The <literal>extended</>
setting may be useful for exact backwards compatibility with
pre-7.4 releases of <productname>PostgreSQL</>. See
<xref linkend="posix-syntax-details"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-sql-inheritance" xreflabel="sql_inheritance">
<term><varname>sql_inheritance</varname> (<type>boolean</type>)</term>
<indexterm>
<primary><varname>sql_inheritance</> configuration parameter</primary>
</indexterm>
<indexterm><primary>inheritance</></>
<listitem>
<para>
This controls the inheritance semantics, in particular whether
subtables are included by various commands by default. They were
not included in versions prior to 7.1. If you need the old
behavior you can set this variable to off, but in the long run
you are encouraged to change your applications to use the
<literal>ONLY</literal> key word to exclude subtables. See
<xref linkend="ddl-inherit"> for more information about inheritance.
This controls whether a quote mark can be represented by
<literal>\'</> in a string literal. The preferred, SQL-standard way
to represent a quote mark is by doubling it (<literal>''</>) but
<productname>PostgreSQL</> has historically also accepted
<literal>\'</>. However, use of <literal>\'</> creates security risks
because in some client character set encodings, there are multibyte
characters in which the last byte is numerically equivalent to ASCII
<literal>\</>. If client-side code does escaping incorrectly then a
SQL-injection attack is possible. This risk can be prevented by
making the server reject queries in which a quote mark appears to be
escaped by a backslash.
The allowed values of <varname>backslash_quote</> are
<literal>on</> (allow <literal>\'</> always),
<literal>off</> (reject always), and
<literal>safe_encoding</> (allow only if client encoding does not
allow ASCII <literal>\</> within a multibyte character).
<literal>safe_encoding</> is the default setting.
</para>
</listitem>
</varlistentry>
@@ -3560,6 +3552,43 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'
</listitem>
</varlistentry>
<varlistentry id="guc-regex-flavor" xreflabel="regex_flavor">
<term><varname>regex_flavor</varname> (<type>string</type>)</term>
<indexterm><primary>regular expressions</></>
<indexterm>
<primary><varname>regex_flavor</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
The regular expression <quote>flavor</> can be set to
<literal>advanced</>, <literal>extended</>, or <literal>basic</>.
The default is <literal>advanced</>. The <literal>extended</>
setting may be useful for exact backwards compatibility with
pre-7.4 releases of <productname>PostgreSQL</>. See
<xref linkend="posix-syntax-details"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-sql-inheritance" xreflabel="sql_inheritance">
<term><varname>sql_inheritance</varname> (<type>boolean</type>)</term>
<indexterm>
<primary><varname>sql_inheritance</> configuration parameter</primary>
</indexterm>
<indexterm><primary>inheritance</></>
<listitem>
<para>
This controls the inheritance semantics, in particular whether
subtables are included by various commands by default. They were
not included in versions prior to 7.1. If you need the old
behavior you can set this variable to off, but in the long run
you are encouraged to change your applications to use the
<literal>ONLY</literal> key word to exclude subtables. See
<xref linkend="ddl-inherit"> for more information about inheritance.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect3>
<sect3 id="runtime-config-compatible-clients">