Bug#369351: (fwd) [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim/exim-src/src/lookups pgsql.c exim/exim-test/scripts/9200-PostgreSQL 9200 exim/exim-test/stderr 9200 exim/exim-test/stdout 9200 [ph10@sesame.csx.cam.ac.uk]

Florian Weimer fw at deneb.enyo.de
Fri Jun 30 16:18:37 UTC 2006


* Marc Haber:

>>   +The original code quoted single quotes as \' which is documented as valid in
>>   +the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to
>>   +the SQL standard '' way of representing a single quote as data. However, in
>>   +June 2006 there was some security issue with using \' and so this has been
>>   +changed.

This is still not correct.  You need to deal with multi-byte character
encodings while quoting, otherwise you still suffer from the
vulnerability for certain encodings.

>>   +[Note: There is a function called PQescapeStringConn() that quotes strings.
>>   +This cannot be used because it needs a PGconn argument (the connection handle).
>>   +Why, I don't know. Seems odd for just string escaping...]

PQescapeStringConn uses the connection handle to determine the
encoding of the passed string.  If you can't supply the handle,
PQescapeString is the better choice, but it relies on an internal
global variable.

I'm going to have a look at how Exim deals with SQL backends.  Perhaps
there is a reasonably portable way to do away with all that quoting.




More information about the Pkg-exim4-maintainers mailing list