[Python-modules-team] Bug#695233: python-sqlobject: SQLObject doesn't escape strings correctly for postgresql 9.1
drnlmuller+bugs at gmail.com
Wed Dec 5 21:53:23 UTC 2012
Postgresql 9.1 changed the default value of standard_conforming_strings
to on. This disables treating \ as escape characters by default and
control characters now need to be explicitly escaping using postgresql's
E'' syntax. SQLObject only added support for E'' escapes in version
1.2.0, so older versions (such as Debian's 0.12.4) do the wrong thing
when used against wheezy's postgresql server. This results in rather
unexpected behaviour when using sqlobject and postgres.
The attached patch backports the relevant changes from SQLObject 1.2.0
to 0.12.4. I've tested this with my application against both postgres
8.4 and 9.1, and, with the patch, it works correctly against both
versions while it fails against 9.1 without the patch.
The postgresql 9.1 release notes
(http://www.postgresql.org/docs/9.1/static/release-9-1.html) do mention
that escaping strings incorectly could lead to security issues, altough
I'm not certain if this will apply to any software in Debian.
"This change can break applications that are not expecting it and do
their own string escaping according to the old rules. The consequences
could be as severe as introducing SQL-injection security holes. Be sure
to test applications that are exposed to untrusted input, to ensure that
they correctly handle single quotes and backslashes in text strings."
The patch probably breaks support for sqlobject and postgresql 7 - I
haven't tested that and I don't think that is a significant concern.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-sqlobject depends on:
ii python 2.7.3~rc2-1
ii python-formencode 1.2.4-2
ii python-pkg-resources 0.6.24-1
ii python-support 1.0.15
python-sqlobject recommends no packages.
Versions of packages python-sqlobject suggests:
pn python-kinterbasdb <none>
pn python-maxdb <none>
ii python-mysqldb 1.2.3-1+b1
ii python-psycopg2 2.4.5-1
pn python-sqlite <none>
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5873 bytes
Desc: not available
More information about the Python-modules-team