database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-09-02 04:21:28 +03:00
Code Activity

Add a new GUC parameter backslash_quote, which determines whether the SQL

Browse Source 
parser will allow "\'" to be used to represent a literal quote mark.  The
"\'" representation has been deprecated for some time in favor of the
SQL-standard representation "''" (two single quote marks), but it has been
used often enough that just disallowing it immediately won't do.  Hence
backslash_quote allows the settings "on", "off", and "safe_encoding",
the last meaning to allow "\'" only if client_encoding is a valid server
encoding.  That is now the default, and the reason is that in encodings
such as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a
multibyte character, accepting "\'" allows SQL-injection attacks as per
CVE-2006-2314 (further details will be published after release).  The
"on" setting is available for backward compatibility, but it must not be
used with clients that are exposed to untrusted input.

Thanks to Akio Ishida and Yasuo Ohgaki for identifying this security issue.
This commit is contained in:
Tom Lane
2006-05-21 20:10:42 +00:00
parent c61a2f5841
commit b3eb4ea5d8
5 changed files with 98 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/backend/parser/scan.l
View File

@@ -24,7 +24,7 @@
* Portions Copyright (c) 1994, Regents of the University of California
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.134 2006/05/11 19:15:35 tgl Exp $
* $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.135 2006/05/21 20:10:42 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@@ -55,6 +55,7 @@ static char *dolqstart; /* current $foo$ quote start string */
* But we shall have to live with it as a short-term thing until the switch
* to SQL-standard string syntax is complete.
*/
BackslashQuoteType backslash_quote = BACKSLASH_QUOTE_SAFE_ENCODING;
bool escape_string_warning = true;
bool standard_conforming_strings = false;
@@ -452,6 +453,17 @@ other .
addlit(yytext, yyleng);
}
<xe>{xeescape} {
if (yytext[1] == '\'')
{
if (backslash_quote == BACKSLASH_QUOTE_OFF ||
(backslash_quote == BACKSLASH_QUOTE_SAFE_ENCODING &&
PG_ENCODING_IS_CLIENT_ONLY(pg_get_client_encoding())))
ereport(ERROR,
(errcode(ERRCODE_NONSTANDARD_USE_OF_ESCAPE_CHARACTER),
errmsg("unsafe use of \\' in a string literal"),
errhint("Use '' to write quotes in strings. \\' is insecure in client-only encodings."),
lexer_errposition()));
}
check_string_escape_warning(yytext[1]);
addlitchar(unescape_single_char(yytext[1]));
}