[libpostgresql-jdbc-java] 21/22: Fix to prevent SQL injection attacks when calling setObject(int, Object, int) where the Object is a String and the type is numeric (i.e. INTEGER, LONG, etc). The fix applies the standard escaping for these values.

Mon Jan 9 10:19:04 UTC 2017

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to tag REL7_3_4
in repository libpostgresql-jdbc-java.

commit 82d83010bf96f428fef86ae0e3b0001e8fb45d0e
Author: Barry Lind <barry at xythos.com>
Date:   Tue Jul 22 05:13:05 2003 +0000

    Fix to prevent SQL injection attacks when calling setObject(int,Object,int)
    where the Object is a String and the type is numeric (i.e. INTEGER,LONG,etc).
    The fix applies the standard escaping for these values.
    
     Modified Files:
      Tag: REL7_3_STABLE
     	jdbc/org/postgresql/Driver.java.in
     	jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
---
 org/postgresql/Driver.java.in                    |  2 +-
 org/postgresql/jdbc1/AbstractJdbc1Statement.java | 49 +++++++++++++++---------
 2 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/org/postgresql/Driver.java.in b/org/postgresql/Driver.java.in
index 4d27f3d..164c1d0 100644
--- a/org/postgresql/Driver.java.in
+++ b/org/postgresql/Driver.java.in
@@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver
 	}
 
 	//The build number should be incremented for every new build
-	private static int m_buildNumber = 110;
+	private static int m_buildNumber = 111;
 
 }
diff --git a/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/org/postgresql/jdbc1/AbstractJdbc1Statement.java
index 5f076d0..f41216d 100644
--- a/org/postgresql/jdbc1/AbstractJdbc1Statement.java
+++ b/org/postgresql/jdbc1/AbstractJdbc1Statement.java
@@ -913,22 +913,36 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
 			{
 				sbuf.setLength(0);
 				sbuf.ensureCapacity(x.length());
-				int i;
-
 				sbuf.append('\'');
-				for (i = 0 ; i < x.length() ; ++i)
-				{
-					char c = x.charAt(i);
-					if (c == '\\' || c == '\'')
-						sbuf.append((char)'\\');
-					sbuf.append(c);
-				}
+				escapeString(x, sbuf);
 				sbuf.append('\'');
 				bind(parameterIndex, sbuf.toString(), type);
 			}
 		}
 	}
 
+	private String escapeString(String p_input) {
+		// use the shared buffer object. Should never clash but this makes
+		// us thread safe!
+		synchronized (sbuf)
+		{
+			sbuf.setLength(0);
+			sbuf.ensureCapacity(p_input.length());
+			escapeString(p_input, sbuf);
+			return sbuf.toString();
+		}
+	}
+
+	private void escapeString(String p_input, StringBuffer p_output) {
+		for (int i = 0 ; i < p_input.length() ; ++i)
+		{
+			char c = p_input.charAt(i);
+			if (c == '\\' || c == '\'')
+				p_output.append((char)'\\');
+			p_output.append(c);
+		}
+	}
+
 	/*
 	 * Set a parameter to a Java array of bytes.  The driver converts this
 	 * to a SQL VARBINARY or LONGVARBINARY (depending on the argument's
@@ -1342,7 +1356,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
 		switch (targetSqlType)
 		{
 			case Types.INTEGER:
-				bind(parameterIndex, x.toString(), PG_INTEGER);
+				bind(parameterIndex, escapeString(x.toString()), PG_INTEGER);
 				break;
 			case Types.TINYINT:
 			case Types.SMALLINT:
@@ -1355,7 +1369,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
 				if (x instanceof Boolean)
 					bind(parameterIndex, ((Boolean)x).booleanValue() ? "1" : "0", PG_BOOLEAN);
 				else
-					bind(parameterIndex, x.toString(), PG_NUMERIC);
+					bind(parameterIndex, escapeString(x.toString()), PG_NUMERIC);
 				break;
 			case Types.CHAR:
 			case Types.VARCHAR:
@@ -1763,15 +1777,12 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
 	}
 
 	/*
-	 * There are a lot of setXXX classes which all basically do
-	 * the same thing.	We need a method which actually does the
-	 * set for us.
-	 *
-	 * @param paramIndex the index into the inString
-	 * @param s a string to be stored
-	 * @exception SQLException if something goes wrong
+	 * Note if s is a String it should be escaped by the caller to avoid SQL
+	 * injection attacks.  It is not done here for efficency reasons as 
+	 * most calls to this method do not require escaping as the source 
+	 * of the string is known safe (i.e. Integer.toString())
 	 */
-	protected void bind(int paramIndex, Object s, String type) throws SQLException
+	private void bind(int paramIndex, Object s, String type) throws SQLException
 	{
 		if (paramIndex < 1 || paramIndex > m_binds.length)
 			throw new PSQLException("postgresql.prep.range");

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libpostgresql-jdbc-java.git

