Bug#369351: exim4-daemon-heavy: Insecure quote escaping in
PostgreSQL backend
Martin Pitt
mpitt at debian.org
Tue May 30 05:58:58 UTC 2006
Hi Florian,
Florian Weimer [2006-05-29 20:49 +0200]:
> * Martin Pitt:
>
> > ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> > escape quoting, which makes it vulnerable against this attack with
> > earlier PostgreSQL versions, and will break with the current one
> > (since it disables this method of quote escaping by default in
> > affected client encodings). A quick fix is to change the function to
> > use '' instead of \', but a better fix is to completely replace the
> > loop with an invocation of PQescapeString() from libpq.
>
> PQescapeString is deprecated because given its interface, the security
> bug cannot be closed completely. You really should use
> PQescapeStringConn.
Thanks for the reminder, sorry that I forgot that. However, this is
just necessary if the application uses several postmaster connections
concurrently. With a single connection (which should be the usual
case) PQescapeString() and PQescapeBytea() will do the right thing.
> Would you add this information to the other bug reports, too?
Done.
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20060530/d087b081/attachment.pgp
More information about the Pkg-exim4-maintainers
mailing list