[libpostgresql-jdbc-java] 21/22: Fix to prevent SQL injection attacks when calling setObject(int, Object, int) where the Object is a String and the type is numeric (i.e. INTEGER, LONG, etc). The fix applies the standard escaping for these values.
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Mon Jan 9 10:19:04 UTC 2017
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to tag REL7_3_4
in repository libpostgresql-jdbc-java.
commit 82d83010bf96f428fef86ae0e3b0001e8fb45d0e
Author: Barry Lind <barry at xythos.com>
Date: Tue Jul 22 05:13:05 2003 +0000
Fix to prevent SQL injection attacks when calling setObject(int,Object,int)
where the Object is a String and the type is numeric (i.e. INTEGER,LONG,etc).
The fix applies the standard escaping for these values.
Modified Files:
Tag: REL7_3_STABLE
jdbc/org/postgresql/Driver.java.in
jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
---
org/postgresql/Driver.java.in | 2 +-
org/postgresql/jdbc1/AbstractJdbc1Statement.java | 49 +++++++++++++++---------
2 files changed, 31 insertions(+), 20 deletions(-)
diff --git a/org/postgresql/Driver.java.in b/org/postgresql/Driver.java.in
index 4d27f3d..164c1d0 100644
--- a/org/postgresql/Driver.java.in
+++ b/org/postgresql/Driver.java.in
@@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver
}
//The build number should be incremented for every new build
- private static int m_buildNumber = 110;
+ private static int m_buildNumber = 111;
}
diff --git a/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/org/postgresql/jdbc1/AbstractJdbc1Statement.java
index 5f076d0..f41216d 100644
--- a/org/postgresql/jdbc1/AbstractJdbc1Statement.java
+++ b/org/postgresql/jdbc1/AbstractJdbc1Statement.java
@@ -913,22 +913,36 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
{
sbuf.setLength(0);
sbuf.ensureCapacity(x.length());
- int i;
-
sbuf.append('\'');
- for (i = 0 ; i < x.length() ; ++i)
- {
- char c = x.charAt(i);
- if (c == '\\' || c == '\'')
- sbuf.append((char)'\\');
- sbuf.append(c);
- }
+ escapeString(x, sbuf);
sbuf.append('\'');
bind(parameterIndex, sbuf.toString(), type);
}
}
}
+ private String escapeString(String p_input) {
+ // use the shared buffer object. Should never clash but this makes
+ // us thread safe!
+ synchronized (sbuf)
+ {
+ sbuf.setLength(0);
+ sbuf.ensureCapacity(p_input.length());
+ escapeString(p_input, sbuf);
+ return sbuf.toString();
+ }
+ }
+
+ private void escapeString(String p_input, StringBuffer p_output) {
+ for (int i = 0 ; i < p_input.length() ; ++i)
+ {
+ char c = p_input.charAt(i);
+ if (c == '\\' || c == '\'')
+ p_output.append((char)'\\');
+ p_output.append(c);
+ }
+ }
+
/*
* Set a parameter to a Java array of bytes. The driver converts this
* to a SQL VARBINARY or LONGVARBINARY (depending on the argument's
@@ -1342,7 +1356,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
switch (targetSqlType)
{
case Types.INTEGER:
- bind(parameterIndex, x.toString(), PG_INTEGER);
+ bind(parameterIndex, escapeString(x.toString()), PG_INTEGER);
break;
case Types.TINYINT:
case Types.SMALLINT:
@@ -1355,7 +1369,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
if (x instanceof Boolean)
bind(parameterIndex, ((Boolean)x).booleanValue() ? "1" : "0", PG_BOOLEAN);
else
- bind(parameterIndex, x.toString(), PG_NUMERIC);
+ bind(parameterIndex, escapeString(x.toString()), PG_NUMERIC);
break;
case Types.CHAR:
case Types.VARCHAR:
@@ -1763,15 +1777,12 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
}
/*
- * There are a lot of setXXX classes which all basically do
- * the same thing. We need a method which actually does the
- * set for us.
- *
- * @param paramIndex the index into the inString
- * @param s a string to be stored
- * @exception SQLException if something goes wrong
+ * Note if s is a String it should be escaped by the caller to avoid SQL
+ * injection attacks. It is not done here for efficency reasons as
+ * most calls to this method do not require escaping as the source
+ * of the string is known safe (i.e. Integer.toString())
*/
- protected void bind(int paramIndex, Object s, String type) throws SQLException
+ private void bind(int paramIndex, Object s, String type) throws SQLException
{
if (paramIndex < 1 || paramIndex > m_binds.length)
throw new PSQLException("postgresql.prep.range");
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libpostgresql-jdbc-java.git
More information about the pkg-java-commits
mailing list