On Tuesday 14 April 2009 21:34:51 Peter Eisentraut wrote: > On Tuesday 14 April 2009 17:13:00 Marko Kreen wrote: > > If the parsing does not happen in 2 passes and it does not take account > > of stdstr setting then the default breakage would be: > > > > stdstr=off, U&' \' UESCAPE '!'. > > I think we can handle that and the cases Tom presents by erroring out when > the U& syntax is used with stdstr off.
Proposed patch for that attached.
Index: doc/src/sgml/syntax.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/syntax.sgml,v retrieving revision 1.131 diff -u -3 -p -r1.131 syntax.sgml --- doc/src/sgml/syntax.sgml 27 Apr 2009 16:27:36 -0000 1.131 +++ doc/src/sgml/syntax.sgml 4 May 2009 22:08:27 -0000 @@ -500,6 +500,17 @@ U&'d!0061t!+000061' UESCAPE '!' </para> <para> + Also, the Unicode escape syntax for string constants only works + when the configuration + parameter <xref linkend="guc-standard-conforming-strings"> is + turned on. This is because otherwise this syntax could confuse + clients that parse the SQL statements to the point that it could + lead to SQL injections and similar security issues. If the + parameter is set to off, this syntax will be rejected with an + error message. + </para> + + <para> To include the escape character in the string literally, write it twice. </para> Index: src/backend/parser/scan.l =================================================================== RCS file: /cvsroot/pgsql/src/backend/parser/scan.l,v retrieving revision 1.151 diff -u -3 -p -r1.151 scan.l --- src/backend/parser/scan.l 19 Apr 2009 21:08:54 -0000 1.151 +++ src/backend/parser/scan.l 4 May 2009 22:08:27 -0000 @@ -469,6 +469,11 @@ other . startlit(); } {xusstart} { + if (!standard_conforming_strings) + ereport(ERROR, + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("unsafe use of string constant with Unicode escapes"), + errdetail("String constants with Unicode escapes cannot be used when standard_conforming_strings is off."))); SET_YYLLOC(); BEGIN(xus); startlit(); Index: src/test/regress/expected/strings.out =================================================================== RCS file: /cvsroot/pgsql/src/test/regress/expected/strings.out,v retrieving revision 1.35 diff -u -3 -p -r1.35 strings.out --- src/test/regress/expected/strings.out 29 Oct 2008 08:04:54 -0000 1.35 +++ src/test/regress/expected/strings.out 4 May 2009 22:08:27 -0000 @@ -22,6 +22,7 @@ ERROR: syntax error at or near "' - thi LINE 3: ' - third line' ^ -- Unicode escapes +SET standard_conforming_strings TO on; SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061"; data ------ @@ -34,6 +35,18 @@ SELECT U&'d!0061t\+000061' UESCAPE '!' A dat\+000061 (1 row) +SELECT U&' \' UESCAPE '!' AS "tricky"; + tricky +-------- + \ +(1 row) + +SELECT 'tricky' AS U&"\" UESCAPE '!'; + \ +-------- + tricky +(1 row) + SELECT U&'wrong: \061'; ERROR: invalid Unicode escape value at or near "\061'" LINE 1: SELECT U&'wrong: \061'; @@ -46,6 +59,32 @@ SELECT U&'wrong: +0061' UESCAPE '+'; ERROR: invalid Unicode escape character at or near "+'" LINE 1: SELECT U&'wrong: +0061' UESCAPE '+'; ^ +SET standard_conforming_strings TO off; +SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061"; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*'; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT U&' \' UESCAPE '!' AS "tricky"; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT 'tricky' AS U&"\" UESCAPE '!'; + \ +-------- + tricky +(1 row) + +SELECT U&'wrong: \061'; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT U&'wrong: \+0061'; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +SELECT U&'wrong: +0061' UESCAPE '+'; +ERROR: unsafe use of string constant with Unicode escapes +DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off. +RESET standard_conforming_strings; -- -- test conversions between various string types -- E021-10 implicit casting among the character data types Index: src/test/regress/sql/strings.sql =================================================================== RCS file: /cvsroot/pgsql/src/test/regress/sql/strings.sql,v retrieving revision 1.24 diff -u -3 -p -r1.24 strings.sql --- src/test/regress/sql/strings.sql 29 Oct 2008 08:04:54 -0000 1.24 +++ src/test/regress/sql/strings.sql 4 May 2009 22:08:27 -0000 @@ -17,13 +17,32 @@ SELECT 'first line' AS "Illegal comment within continuation"; -- Unicode escapes +SET standard_conforming_strings TO on; + +SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061"; +SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*'; + +SELECT U&' \' UESCAPE '!' AS "tricky"; +SELECT 'tricky' AS U&"\" UESCAPE '!'; + +SELECT U&'wrong: \061'; +SELECT U&'wrong: \+0061'; +SELECT U&'wrong: +0061' UESCAPE '+'; + +SET standard_conforming_strings TO off; + SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061"; SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*'; +SELECT U&' \' UESCAPE '!' AS "tricky"; +SELECT 'tricky' AS U&"\" UESCAPE '!'; + SELECT U&'wrong: \061'; SELECT U&'wrong: \+0061'; SELECT U&'wrong: +0061' UESCAPE '+'; +RESET standard_conforming_strings; + -- -- test conversions between various string types -- E021-10 implicit casting among the character data types
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers