Bug#369351: exim4-daemon-heavy: Insecure quote escaping in
PostgreSQL backend
Florian Weimer
fw at deneb.enyo.de
Mon May 29 18:49:57 UTC 2006
* Martin Pitt:
> ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> escape quoting, which makes it vulnerable against this attack with
> earlier PostgreSQL versions, and will break with the current one
> (since it disables this method of quote escaping by default in
> affected client encodings). A quick fix is to change the function to
> use '' instead of \', but a better fix is to completely replace the
> loop with an invocation of PQescapeString() from libpq.
PQescapeString is deprecated because given its interface, the security
bug cannot be closed completely. You really should use
PQescapeStringConn.
Would you add this information to the other bug reports, too?
More information about the Pkg-exim4-maintainers
mailing list