Re: Escaping strings for inclusion into SQL queries - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Escaping strings for inclusion into SQL queries
Date
Msg-id 200109120420.f8C4KVf28273@candle.pha.pa.us
Whole thread Raw
In response to Re: Escaping strings for inclusion into SQL queries  (Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>)
List pgsql-hackers
I think we need this patch.  Bytea encoding will be changed to accept
\000 rather than \0 for the same reason.  I also agree that the libpq
enescaping of a C string doesn't need to deal with NULL like bytea does.

Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches

I will try to apply it within the next 48 hours.

> "Joe Conway" <joseph.conway@home.com> writes:
> 
> > I found a problem with PQescapeString (I think). Since it escapes
> > null bytes to be literally '\0', the following can happen:
> > 1. User inputs string value as "<null byte>##" where ## are digits in the
> > range of 0 to 7.
> > 2. PQescapeString converts this to "\0##"
> > 3. Escaped string is used in a context that causes "\0##" to be evaluated as
> > an octal escape sequence.
> 
> I agree that this is a problem, though it is not possible to do
> anything harmful with it.  In addition, it only occurs if there are
> any NUL characters in its input, which is very unlikely if you are
> using C strings.
> 
> The patch below addresses the issue by removing escaping of \0
> characters entirely.
> 
> > If the goal is to "safely" encode null bytes, and preserve the rest of the
> > string as it was entered, I think the null bytes should be escaped as \\000
> > (note that if you simply use \000 the same string truncation problem
> > occurs).
> 
> We can't do that, this would require 4n + 1 bytes of storage for the
> result, breaking the interface.
> 
> -- 
> Florian Weimer                       Florian.Weimer@RUS.Uni-Stuttgart.DE
> University of Stuttgart           http://cert.uni-stuttgart.de/
> RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
> 

[ Attachment, skipping... ]

> 
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


pgsql-hackers by date:

Previous
From: Thomas Lockhart
Date:
Subject: Re: factorial doc bug?
Next
From: Bruce Momjian
Date:
Subject: Re: [JDBC] Patch for doc/jdbc.sgml