[libpostgresql-jdbc-java] 12/14: escapeQuotes() in DatabaseMetaData was not correctly handling backslashes which would result in incorrect searches and has the potential for a SQL injection attack.

Mon Jan 9 10:19:51 UTC 2017

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to tag REL8_1_405
in repository libpostgresql-jdbc-java.

commit d9b3c67f0ca7d4708d0a6cf09dc3d991b431f794
Author: Kris Jurka <books at ejurka.com>
Date:   Fri Feb 3 21:10:31 2006 +0000

    escapeQuotes() in DatabaseMetaData was not correctly handling
    backslashes which would result in incorrect searches and has the
    potential for a SQL injection attack.
    
    Paolo Predonzani
---
 org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java | 12 ++++--------
 org/postgresql/test/jdbc2/DatabaseMetaDataTest.java     | 16 +++++++++++++++-
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java b/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java
index 0f28ce5..22b0e30 100644
--- a/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java
+++ b/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java
@@ -3,7 +3,7 @@
 * Copyright (c) 2004-2005, PostgreSQL Global Development Group
 *
 * IDENTIFICATION
-*   $PostgreSQL: pgjdbc/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java,v 1.24.2.1 2005/11/29 06:02:16 jurka Exp $
+*   $PostgreSQL: pgjdbc/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java,v 1.24.2.2 2005/12/04 20:22:59 jurka Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -1744,18 +1744,14 @@ public abstract class AbstractJdbc2DatabaseMetaData
     protected static String escapeQuotes(String s) {
         StringBuffer sb = new StringBuffer();
         int length = s.length();
-        char prevChar = ' ';
-        char prevPrevChar = ' ';
         for (int i = 0; i < length; i++)
         {
             char c = s.charAt(i);
-            sb.append(c);
-            if (c == '\'' && (prevChar != '\\' || (prevChar == '\\' && prevPrevChar == '\\')))
+            if (c == '\'' || c == '\\')
             {
-                sb.append("'");
+                sb.append('\\');
             }
-            prevPrevChar = prevChar;
-            prevChar = c;
+            sb.append(c);
         }
         return sb.toString();
     }
diff --git a/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java b/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java
index aaac76e..4cbc5e2 100644
--- a/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java
+++ b/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java
@@ -3,7 +3,7 @@
 * Copyright (c) 2004-2005, PostgreSQL Global Development Group
 *
 * IDENTIFICATION
-*   $PostgreSQL: pgjdbc/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java,v 1.33 2005/03/04 06:52:04 jurka Exp $
+*   $PostgreSQL: pgjdbc/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java,v 1.34 2005/09/14 19:08:50 jurka Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -37,6 +37,8 @@ public class DatabaseMetaDataTest extends TestCase
         TestUtil.dropSequence( con, "sercoltest_b_seq");
         TestUtil.dropSequence( con, "sercoltest_c_seq");
         TestUtil.createTable( con, "sercoltest", "a int, b serial, c bigserial");
+        TestUtil.createTable( con, "\"a\\\"", "a int4");
+        TestUtil.createTable( con, "\"a'\"", "a int4");
 
         Statement stmt = con.createStatement();
         //we add the following comments to ensure the joins to the comments
@@ -50,6 +52,8 @@ public class DatabaseMetaDataTest extends TestCase
         TestUtil.dropTable( con, "sercoltest");
         TestUtil.dropSequence( con, "sercoltest_b_seq");
         TestUtil.dropSequence( con, "sercoltest_c_seq");
+        TestUtil.dropTable( con, "\"a\\\"");
+        TestUtil.dropTable( con, "\"a'\"");
 
         TestUtil.closeDB( con );
     }
@@ -508,6 +512,16 @@ public class DatabaseMetaDataTest extends TestCase
         }
     }
 
+    public void testEscaping() throws SQLException {
+        DatabaseMetaData dbmd = con.getMetaData();
+        ResultSet rs = dbmd.getTables( null, null, "a'", new String[] {"TABLE"});
+        assertTrue(rs.next());
+        rs = dbmd.getTables( null, null, "a\\\\", new String[] {"TABLE"});
+        assertTrue(rs.next());
+        rs = dbmd.getTables( null, null, "a\\", new String[] {"TABLE"});
+        assertTrue(!rs.next());
+    }
+
     public void testSearchStringEscape() throws Exception {
         DatabaseMetaData dbmd = con.getMetaData();
         Statement stmt = con.createStatement();

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libpostgresql-jdbc-java.git

