[libpostgresql-jdbc-java] 22/22: Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett and Dmitry Tkach Modified Files: Tag: REL7_3_STABLE jdbc/org/postgresql/Driver.java.in jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to tag REL7_3_4
in repository libpostgresql-jdbc-java.

commit 433b7b97da262eb863e59b29161f9691a7e624c8
Author: Barry Lind <barry at xythos.com>
Date:   Wed Jul 23 23:34:31 2003 +0000

    Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett
    and Dmitry Tkach
     Modified Files:
      Tag: REL7_3_STABLE
     	jdbc/org/postgresql/Driver.java.in
     	jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
---
 org/postgresql/Driver.java.in                    |  2 +-
 org/postgresql/jdbc1/AbstractJdbc1Statement.java | 31 +++++++++++++++++++-----
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/org/postgresql/Driver.java.in b/org/postgresql/Driver.java.in
index 164c1d0..241c588 100644
--- a/org/postgresql/Driver.java.in
+++ b/org/postgresql/Driver.java.in
@@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver
 	}
 
 	//The build number should be incremented for every new build
-	private static int m_buildNumber = 111;
+	private static int m_buildNumber = 112;
 
 }
diff --git a/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/org/postgresql/jdbc1/AbstractJdbc1Statement.java
index f41216d..925fc06 100644
--- a/org/postgresql/jdbc1/AbstractJdbc1Statement.java
+++ b/org/postgresql/jdbc1/AbstractJdbc1Statement.java
@@ -914,7 +914,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
 				sbuf.setLength(0);
 				sbuf.ensureCapacity(x.length());
 				sbuf.append('\'');
-				escapeString(x, sbuf);
+				escapeString(x, sbuf, true);
 				sbuf.append('\'');
 				bind(parameterIndex, sbuf.toString(), type);
 			}
@@ -928,18 +928,37 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
 		{
 			sbuf.setLength(0);
 			sbuf.ensureCapacity(p_input.length());
-			escapeString(p_input, sbuf);
+			escapeString(p_input, sbuf, false);
 			return sbuf.toString();
 		}
 	}
 
-	private void escapeString(String p_input, StringBuffer p_output) {
+	/*
+	 * p_allowStatementTerminator determines if a semi-colon is allowed in the
+	 * returned value.  A semi-colon should only be allowed if the resulting 
+	 * string will be enclosed in single quotes in a sql string, or will be 
+	 * passed by value to the server via a bind thus bypassing the sql parser
+	 * on the server.
+	 */
+	private void escapeString(String p_input, StringBuffer p_output, boolean p_allowStatementTerminator) {
 		for (int i = 0 ; i < p_input.length() ; ++i)
 		{
 			char c = p_input.charAt(i);
-			if (c == '\\' || c == '\'')
-				p_output.append((char)'\\');
-			p_output.append(c);
+			switch (c)
+			{
+			    case '\\':
+			    case '\'':
+					p_output.append('\\');
+					p_output.append(c);
+					break;
+			    case '\0':
+					throw new IllegalArgumentException("\\0 not allowed");
+			    case ';':
+					if (!p_allowStatementTerminator)
+						throw new IllegalArgumentException("semicolon not allowed");
+				default:
+					p_output.append(c);
+			}
 		}
 	}
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libpostgresql-jdbc-java.git