Hi,
I am the maintainer of Debian's packages for exim4, a powerful and
versatile Mail Transfer Agent developed in Cambridge and in wide use
throughout the Free Software Community (http://www.exim.org/).
One of our daemon flavours has PostgreSQL support. Our security guys
have found a flaw in exim regarding quote escaping for PostgreSQL. The
bug is filed in Debian's BTS as http://bugs.debian.org/369351 and was
transferred to exim's Bugzilla installation as
http://www.exim.org/bugzilla/show_bug.cgi?id=107.
Personally, I do not have any PostgreSQL experience (and do not have
time and expertise to accumulate any), and the PostgreSQL support code
in exim was contributed some time ago and Philip Hazel, exim's author,
doesn't know too much about PostgreSQL as well.
From what I understand, the correct way would be to use
PQescapeStringConn, but that function needs an established connection,
and exim performs string escape "early", way before the actual
connection is established.
I'd appreciate if anybody familiar with PostgreSQL programming could
take a look at the two bug reports and probably exim's program code
and suggest a possible solution, preferably in the bugzilla issue log
referenced above. I'll monitor this thread for possible solutions and
help, though.
Any help would be greatly appreciated.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835