[libpostgresql-jdbc-java] 10/11: escapeQuotes() in DatabaseMetaData was not correctly handling backslashes which would result in incorrect searches and has the potential for a SQL injection attack.

[Emmanuel Bourg]

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to tag REL8_0_315
in repository libpostgresql-jdbc-java.

commit 2d5e037af6a1d0d983358554732e1e46f4a77650
Author: Kris Jurka <books at ejurka.com>
Date:   Fri Feb 3 21:10:44 2006 +0000

    escapeQuotes() in DatabaseMetaData was not correctly handling
    backslashes which would result in incorrect searches and has the
    potential for a SQL injection attack.
    
    Paolo Predonzani
---
 org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java | 12 ++++--------
 org/postgresql/test/jdbc2/DatabaseMetaDataTest.java     | 16 +++++++++++++++-
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java b/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java
index c298552..81ea98d 100644
--- a/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java
+++ b/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java
@@ -3,7 +3,7 @@
 * Copyright (c) 2004-2005, PostgreSQL Global Development Group
 *
 * IDENTIFICATION
-*   $PostgreSQL: pgjdbc/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java,v 1.18.2.1 2005/11/29 06:02:33 jurka Exp $
+*   $PostgreSQL: pgjdbc/org/postgresql/jdbc2/AbstractJdbc2DatabaseMetaData.java,v 1.18.2.2 2005/12/04 20:23:47 jurka Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -1735,18 +1735,14 @@ public abstract class AbstractJdbc2DatabaseMetaData
     protected static String escapeQuotes(String s) {
         StringBuffer sb = new StringBuffer();
         int length = s.length();
-        char prevChar = ' ';
-        char prevPrevChar = ' ';
         for (int i = 0; i < length; i++)
         {
             char c = s.charAt(i);
-            sb.append(c);
-            if (c == '\'' && (prevChar != '\\' || (prevChar == '\\' && prevPrevChar == '\\')))
+            if (c == '\'' || c == '\\')
             {
-                sb.append("'");
+                sb.append('\\');
             }
-            prevPrevChar = prevChar;
-            prevChar = c;
+            sb.append(c);
         }
         return sb.toString();
     }
diff --git a/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java b/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java
index ee31b79..d6d56a7 100644
--- a/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java
+++ b/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java
@@ -3,7 +3,7 @@
 * Copyright (c) 2004-2005, PostgreSQL Global Development Group
 *
 * IDENTIFICATION
-*   $PostgreSQL: pgjdbc/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java,v 1.31 2004/11/09 08:54:19 jurka Exp $
+*   $PostgreSQL: pgjdbc/org/postgresql/test/jdbc2/DatabaseMetaDataTest.java,v 1.32 2005/01/11 08:25:48 jurka Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -37,6 +37,8 @@ public class DatabaseMetaDataTest extends TestCase
         TestUtil.dropSequence( con, "sercoltest_b_seq");
         TestUtil.dropSequence( con, "sercoltest_c_seq");
         TestUtil.createTable( con, "sercoltest", "a int, b serial, c bigserial");
+        TestUtil.createTable( con, "\"a\\\"", "a int4");
+        TestUtil.createTable( con, "\"a'\"", "a int4");
 
         Statement stmt = con.createStatement();
         //we add the following comments to ensure the joins to the comments
@@ -50,6 +52,8 @@ public class DatabaseMetaDataTest extends TestCase
         TestUtil.dropTable( con, "sercoltest");
         TestUtil.dropSequence( con, "sercoltest_b_seq");
         TestUtil.dropSequence( con, "sercoltest_c_seq");
+        TestUtil.dropTable( con, "\"a\\\"");
+        TestUtil.dropTable( con, "\"a'\"");
 
         TestUtil.closeDB( con );
     }
@@ -481,6 +485,16 @@ public class DatabaseMetaDataTest extends TestCase
         }
     }
 
+    public void testEscaping() throws SQLException {
+        DatabaseMetaData dbmd = con.getMetaData();
+        ResultSet rs = dbmd.getTables( null, null, "a'", new String[] {"TABLE"});
+        assertTrue(rs.next());
+        rs = dbmd.getTables( null, null, "a\\\\", new String[] {"TABLE"});
+        assertTrue(rs.next());
+        rs = dbmd.getTables( null, null, "a\\", new String[] {"TABLE"});
+        assertTrue(!rs.next());
+    }
+
     public void testSearchStringEscape() throws Exception {
         DatabaseMetaData dbmd = con.getMetaData();
         Statement stmt = con.createStatement();

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libpostgresql-jdbc-java.git