Bug#369351: (fwd) [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim/exim-src/src/lookups pgsql.c exim/exim-test/scripts/9200-PostgreSQL 9200 exim/exim-test/stderr 9200 exim/exim-test/stdout 9200 [ph10@sesame.csx.cam.ac.uk]

[Marc Haber]

package exim4-daemon-heavy
tags #369351 - fixed-upstream
user bts-link-upstream at lists.alioth.debian.org
usertags 369351 - status-RESOLVED resolution-FIXED
usertags 369351 + status-REOPENED
thanks

On Fri, Jun 30, 2006 at 06:18:37PM +0200, Florian Weimer wrote:
> * Marc Haber:
> 
> >>   +The original code quoted single quotes as \' which is documented as valid in
> >>   +the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to
> >>   +the SQL standard '' way of representing a single quote as data. However, in
> >>   +June 2006 there was some security issue with using \' and so this has been
> >>   +changed.
> 
> This is still not correct.  You need to deal with multi-byte character
> encodings while quoting, otherwise you still suffer from the
> vulnerability for certain encodings.
> 
> >>   +[Note: There is a function called PQescapeStringConn() that quotes strings.
> >>   +This cannot be used because it needs a PGconn argument (the connection handle).
> >>   +Why, I don't know. Seems odd for just string escaping...]
> 
> PQescapeStringConn uses the connection handle to determine the
> encoding of the passed string.  If you can't supply the handle,
> PQescapeString is the better choice, but it relies on an internal
> global variable.
> 
> I'm going to have a look at how Exim deals with SQL backends.  Perhaps
> there is a reasonably portable way to do away with all that quoting.

I have forwarded this to the exim bugzilla bug. 

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835