This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to tag REL7_3_4 in repository libpostgresql-jdbc-java.
commit 433b7b97da262eb863e59b29161f9691a7e624c8 Author: Barry Lind <[email protected]> Date: Wed Jul 23 23:34:31 2003 +0000 Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett and Dmitry Tkach Modified Files: Tag: REL7_3_STABLE jdbc/org/postgresql/Driver.java.in jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java --- org/postgresql/Driver.java.in | 2 +- org/postgresql/jdbc1/AbstractJdbc1Statement.java | 31 +++++++++++++++++++----- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/org/postgresql/Driver.java.in b/org/postgresql/Driver.java.in index 164c1d0..241c588 100644 --- a/org/postgresql/Driver.java.in +++ b/org/postgresql/Driver.java.in @@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver } //The build number should be incremented for every new build - private static int m_buildNumber = 111; + private static int m_buildNumber = 112; } diff --git a/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/org/postgresql/jdbc1/AbstractJdbc1Statement.java index f41216d..925fc06 100644 --- a/org/postgresql/jdbc1/AbstractJdbc1Statement.java +++ b/org/postgresql/jdbc1/AbstractJdbc1Statement.java @@ -914,7 +914,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme sbuf.setLength(0); sbuf.ensureCapacity(x.length()); sbuf.append('\''); - escapeString(x, sbuf); + escapeString(x, sbuf, true); sbuf.append('\''); bind(parameterIndex, sbuf.toString(), type); } @@ -928,18 +928,37 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme { sbuf.setLength(0); sbuf.ensureCapacity(p_input.length()); - escapeString(p_input, sbuf); + escapeString(p_input, sbuf, false); return sbuf.toString(); } } - private void escapeString(String p_input, StringBuffer p_output) { + /* + * p_allowStatementTerminator determines if a semi-colon is allowed in the + * returned value. A semi-colon should only be allowed if the resulting + * string will be enclosed in single quotes in a sql string, or will be + * passed by value to the server via a bind thus bypassing the sql parser + * on the server. + */ + private void escapeString(String p_input, StringBuffer p_output, boolean p_allowStatementTerminator) { for (int i = 0 ; i < p_input.length() ; ++i) { char c = p_input.charAt(i); - if (c == '\\' || c == '\'') - p_output.append((char)'\\'); - p_output.append(c); + switch (c) + { + case '\\': + case '\'': + p_output.append('\\'); + p_output.append(c); + break; + case '\0': + throw new IllegalArgumentException("\\0 not allowed"); + case ';': + if (!p_allowStatementTerminator) + throw new IllegalArgumentException("semicolon not allowed"); + default: + p_output.append(c); + } } } -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libpostgresql-jdbc-java.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
