Home > mailing lists

pgsql-server/src/interfaces/jdbc/org/postgresq ... - Mailing list pgsql-committers

From	barry@svr1.postgresql.org (Barry Lind)
Subject	pgsql-server/src/interfaces/jdbc/org/postgresq ...
Date	August 7, 2003 04:15:27
Msg-id	20030807040313.8490AD1C946@svr1.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

CVSROOT:    /cvsroot
Module name:    pgsql-server
Changes by:    barry@svr1.postgresql.org    03/08/07 01:03:13

Modified files:
    src/interfaces/jdbc/org/postgresql/jdbc1:
                                              AbstractJdbc1Statement.java

Log message:
    Sometimes the third time is the charm.  Third try to fix the sql injection
    vulnerability.  This fix completely removes the ability (hack) of being able
    to bind a list of values in an in clause.  It was demonstrated that by allowing
    that functionality you open up the possibility for certain types of
    sql injection attacks.  The previous fix attempts all focused on preventing
    the insertion of additional sql statements (the semi-colon problem:
    xxx; any new sql statement here).  But that still left the ability to
    change the where clause on the current statement or perform a subselect
    which can circumvent applicaiton security logic and/or allow you to call
    any stored function.

    Modified Files:
    jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java

pgsql-committers by date:

From: barry@svr1.postgresql.org (Barry Lind)
Date: 07 August 2003, 04:14:22
Subject: pgsql-server/doc/src/sgml jdbc.sgml

From: momjian@svr1.postgresql.org (Bruce Momjian)
Date: 07 August 2003, 04:29:19
Subject: pgsql-server/doc/src/sgml ecpg.sgml

pgsql-server/src/interfaces/jdbc/org/postgresq ... - Mailing list pgsql-committers

Previous

Next