[Python-modules-team] Bug#695233: python-sqlobject: SQLObject doesn't escape strings correctly for postgresql 9.1

Neil Muller drnlmuller+bugs at gmail.com
Wed Dec 5 21:53:23 UTC 2012

Package: python-sqlobject
Version: 0.12.4-2.1
Severity: important
Tags: patch

Dear Maintainer,

Postgresql 9.1 changed the default value of standard_conforming_strings
to on. This disables treating \ as escape characters by default and 
control characters now need to be explicitly escaping using postgresql's
E'' syntax. SQLObject only added support for E'' escapes in version
1.2.0, so older versions (such as Debian's 0.12.4) do the wrong thing
when used against wheezy's postgresql server. This results in rather
unexpected behaviour when using sqlobject and postgres.

The attached patch backports the relevant changes from SQLObject 1.2.0
to 0.12.4. I've tested this with my application against both postgres
8.4 and 9.1, and, with the patch, it works correctly against both
versions while it fails against 9.1 without the patch.

The postgresql 9.1 release notes
(http://www.postgresql.org/docs/9.1/static/release-9-1.html) do mention
that escaping strings incorectly could lead to security issues, altough
I'm not certain if this will apply to any software in Debian.

"This change can break applications that are not expecting it and do
their own string escaping according to the old rules. The consequences
could be as severe as introducing SQL-injection security holes. Be sure
to test applications that are exposed to untrusted input, to ensure that
they correctly handle single quotes and backslashes in text strings."

The patch probably breaks support for sqlobject and postgresql 7 - I
haven't tested that and I don't think that is a significant concern.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-sqlobject depends on:
ii  python                2.7.3~rc2-1
ii  python-formencode     1.2.4-2
ii  python-pkg-resources  0.6.24-1
ii  python-support        1.0.15

python-sqlobject recommends no packages.

Versions of packages python-sqlobject suggests:
pn  python-kinterbasdb  <none>
pn  python-maxdb        <none>
ii  python-mysqldb      1.2.3-1+b1
ii  python-psycopg2     2.4.5-1
pn  python-sqlite       <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sqlobject_postgres_escape_0.12.4.diff
Type: text/x-diff
Size: 5873 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20121205/9b7e6269/attachment.diff>

More information about the Python-modules-team mailing list