Bug#369351: exim4-daemon-heavy: Insecure quote escaping in PostgreSQL backend

Martin Pitt mpitt at debian.org
Tue May 30 05:58:58 UTC 2006


Hi Florian,

Florian Weimer [2006-05-29 20:49 +0200]:
> * Martin Pitt:
> 
> > ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> > escape quoting, which makes it vulnerable against this attack with
> > earlier PostgreSQL versions, and will break with the current one
> > (since it disables this method of quote escaping by default in
> > affected client encodings). A quick fix is to change the function to
> > use '' instead of \', but a better fix is to completely replace the
> > loop with an invocation of PQescapeString() from libpq. 
> 
> PQescapeString is deprecated because given its interface, the security
> bug cannot be closed completely.  You really should use
> PQescapeStringConn.

Thanks for the reminder, sorry that I forgot that. However, this is
just necessary if the application uses several postmaster connections
concurrently. With a single connection (which should be the usual
case) PQescapeString() and PQescapeBytea() will do the right thing.

> Would you add this information to the other bug reports, too?

Done.

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20060530/d087b081/attachment.pgp


More information about the Pkg-exim4-maintainers mailing list