Bug#369351: (fwd) [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim/exim-src/src/lookups pgsql.c exim/exim-test/scripts/9200-PostgreSQL 9200 exim/exim-test/stderr 9200 exim/exim-test/stdout 9200 [ph10@sesame.csx.cam.ac.uk]

Marc Haber mh+debian-packages at zugschlus.de
Fri Jun 30 14:01:12 UTC 2006 

Hi,

this is upstream's patch for this issue. Philip decided not to use the
libpq functions.

Martin, Florian, can you comment?

Greetings
Marc

----- Forwarded message from Philip Hazel <ph10 at sesame.csx.cam.ac.uk> -----

> From: Philip Hazel <ph10 at sesame.csx.cam.ac.uk>
> Subject: [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog
>  exim/exim-src/src/lookups pgsql.c exim/exim-test/scripts/9200-PostgreSQL
>  9200 exim/exim-test/stderr 9200 exim/exim-test/stdout 9200
> To: exim-cvs at exim.org
> Reply-To: exim-dev at exim.org
> Date: Fri, 30 Jun 2006 14:57:46 +0100
> X-Spam-Score: (--) -2.8
> X-Spam-Report: torres.zugschlus.de
> 	Content analysis details:   (-2.8 points, 5.0 required)
> 	pts  rule name              description
> 	---- ---------------------- -------------------------------------------
> 	-2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
> 	[score: 0.0000]
> 	-0.2 AWL                    AWL: From: address is in the auto white-list
> 
> ph10        2006/06/30 14:57:46 BST
> 
>   Modified files:
>     exim-doc/doc-txt     ChangeLog 
>     exim-src/src/lookups pgsql.c 
>     exim-test/scripts/9200-PostgreSQL 9200 
>     exim-test/stderr     9200 
>     exim-test/stdout     9200 
>   Log:
>   Change ${quote_pgsql to quote ' as '' instead of \' because of a
>   security issue.
>   
>   Revision  Changes    Path
>   1.364     +5 -0      exim/exim-doc/doc-txt/ChangeLog
>   1.5       +16 -1     exim/exim-src/src/lookups/pgsql.c
>   1.2       +1 -0      exim/exim-test/scripts/9200-PostgreSQL/9200
>   1.3       +12 -1     exim/exim-test/stderr/9200
>   1.2       +1 -0      exim/exim-test/stdout/9200
>   
>   Index: ChangeLog
>   ===================================================================
>   RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
>   retrieving revision 1.363
>   retrieving revision 1.364
>   diff -u -r1.363 -r1.364
>   --- ChangeLog	28 Jun 2006 16:00:23 -0000	1.363
>   +++ ChangeLog	30 Jun 2006 13:57:46 -0000	1.364
>   @@ -1,4 +1,4 @@
>   -$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.363 2006/06/28 16:00:23 ph10 Exp $
>   +$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.364 2006/06/30 13:57:46 ph10 Exp $
>    
>    Change log file for Exim from version 4.21
>    -------------------------------------------
>   @@ -55,6 +55,11 @@
>    PH/06 Added acl_not_smtp_start, based on Johannes Berg's patch, and set the
>          bit to forbid control=suppress_local_fixups in the acl_not_smtp ACL,
>          because it is too late at that time, and has no effect.
>   +
>   +PH/07 Changed ${quote_pgsql to quote ' as '' instead of \' because of a
>   +      security issue with \' (bugzilla #107). I could not use the
>   +      PQescapeStringConn() function, because it needs a PGconn value as one of
>   +      its arguments.
>    
>    
>    Exim version 4.62
>   
>   Index: pgsql.c
>   ===================================================================
>   RCS file: /home/cvs/exim/exim-src/src/lookups/pgsql.c,v
>   retrieving revision 1.4
>   retrieving revision 1.5
>   diff -u -r1.4 -r1.5
>   --- pgsql.c	7 Feb 2006 11:19:01 -0000	1.4
>   +++ pgsql.c	30 Jun 2006 13:57:46 -0000	1.5
>   @@ -1,4 +1,4 @@
>   -/* $Cambridge: exim/exim-src/src/lookups/pgsql.c,v 1.4 2006/02/07 11:19:01 ph10 Exp $ */
>   +/* $Cambridge: exim/exim-src/src/lookups/pgsql.c,v 1.5 2006/06/30 13:57:46 ph10 Exp $ */
>    
>    /*************************************************
>    *     Exim - an Internet mail transport agent    *
>   @@ -422,6 +422,16 @@
>    does treat the string as "ab%cd". So we can safely quote percent and
>    underscore. [This is different to MySQL, where you can't do this.]
>    
>   +The original code quoted single quotes as \' which is documented as valid in
>   +the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to
>   +the SQL standard '' way of representing a single quote as data. However, in
>   +June 2006 there was some security issue with using \' and so this has been
>   +changed.
>   +
>   +[Note: There is a function called PQescapeStringConn() that quotes strings.
>   +This cannot be used because it needs a PGconn argument (the connection handle).
>   +Why, I don't know. Seems odd for just string escaping...]
>   +
>    Arguments:
>      s          the string to be quoted
>      opt        additional option text or NULL if none
>   @@ -447,7 +457,12 @@
>    
>    while ((c = *s++) != 0)
>      {
>   -  if (Ustrchr("\n\t\r\b\'\"\\%_", c) != NULL)
>   +  if (c == '\'')
>   +    {
>   +    *t++ = '\'';
>   +    *t++ = '\'';
>   +    }
>   +  else if (Ustrchr("\n\t\r\b\"\\%_", c) != NULL)
>        {
>        *t++ = '\\';
>        switch(c)
>   
>   Index: 9200
>   ===================================================================
>   RCS file: /home/cvs/exim/exim-test/scripts/9200-PostgreSQL/9200,v
>   retrieving revision 1.1
>   retrieving revision 1.2
>   diff -u -r1.1 -r1.2
>   --- 9200	7 Feb 2006 10:54:51 -0000	1.1
>   +++ 9200	30 Jun 2006 13:57:46 -0000	1.2
>   @@ -9,6 +9,7 @@
>    ${lookup pgsql {select * from them where id='quote2';}}
>    ${lookup pgsql {select * from them where id='newline';}}
>    ${lookup pgsql {select * from them where id='tab';}}
>   +${lookup pgsql {select * from them where name='${quote_pgsql:'stquot}';}}
>    ****
>    exim -d -bh 10.0.0.0
>    mail from:<a at b>
>   
>   Index: 9200
>   ===================================================================
>   RCS file: /home/cvs/exim/exim-test/stderr/9200,v
>   retrieving revision 1.2
>   retrieving revision 1.3
>   diff -u -r1.2 -r1.3
>   --- 9200	18 Apr 2006 15:53:58 -0000	1.2
>   +++ 9200	30 Jun 2006 13:57:46 -0000	1.3
>   @@ -100,7 +100,18 @@
>    database lookup required for select * from them where id='tab';
>    PGSQL query: select * from them where id='tab';
>    PGSQL using cached connection for localhost/test/CALLER
>   -lookup yielded: name="x x" id=tab 
>   +lookup yielded: name="x	x" id=tab 
>   +search_open: pgsql "NULL"
>   +  cached open
>   +search_find: file="NULL"
>   +  key="select * from them where name='''stquot';" partial=-1 affix=NULL starflags=0
>   +LRU list:
>   +internal_search_find: file="NULL"
>   +  type=pgsql key="select * from them where name='''stquot';"
>   +database lookup required for select * from them where name='''stquot';
>   +PGSQL query: select * from them where name='''stquot';
>   +PGSQL using cached connection for localhost/test/CALLER
>   +lookup yielded: name='stquot id=quote1 
>    search_tidyup called
>    close PGSQL connection: localhost/test/CALLER
>    >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
>   
>   Index: 9200
>   ===================================================================
>   RCS file: /home/cvs/exim/exim-test/stdout/9200,v
>   retrieving revision 1.1
>   retrieving revision 1.2
>   diff -u -r1.1 -r1.2
>   --- 9200	7 Feb 2006 10:47:37 -0000	1.1
>   +++ 9200	30 Jun 2006 13:57:46 -0000	1.2
>   @@ -8,6 +8,7 @@
>    > name="before
>    after" id=newline 
>    > name="x	x" id=tab 
>   +> name='stquot id=quote1 
>    > 
>    
>    **** SMTP testing session as if from host 10.0.0.0
>   
> 
> _______________________________________________
> exim-cvs mailing list
> exim-cvs at exim.org
> http://www.exim.org/mailman/listinfo/exim-cvs

----- End forwarded message -----

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-exim4-maintainers mailing list