Re: patch for ECPG (BUG #2956: ECPG does not treat multibyte characters correctly.) - Mailing list pgsql-patches

From ITAGAKI Takahiro
Subject Re: patch for ECPG (BUG #2956: ECPG does not treat multibyte characters correctly.)
Date
Msg-id 20070227203330.63A9.ITAGAKI.TAKAHIRO@oss.ntt.co.jp
Whole thread Raw
In response to Re: patch for ECPG (BUG #2956: ECPG does not treat multibyte characters correctly.)  (Michael Meskes <meskes@postgresql.org>)
Responses Re: patch for ECPG (BUG #2956: ECPG does not treat multibyte characters correctly.)  (Michael Meskes <meskes@postgresql.org>)
List pgsql-patches
Michael Meskes <meskes@postgresql.org> wrote:

> > I found bug in ecpg concerning processing of the multi-byte character-code.
> > I reported as bug#2956 before.
>
> I'm just committing the changes to CVS but only to HEAD because I cannot
> check if my changes broke something. The sources work fine on my system
> and the regression tests pass without a problem. But then I do not have
> a setup similar to yours. Could you please test this?

I tested the change and it worked fine, but I found that this fix
should be backported -- it might cause SQL injections depending on
the server configurations.

The attached patches are backports for the past releases.
I hope you will apply them. Thanks.


[TEST]
1. initdb --no-locale --encoding=UTF8
2. SET client_encoding = sjis in postgresql.conf
3. ecpg test.pgc
4. gcc test.c
5. test < src.sjis.txt

[RESULTS]
The first charactor is a Japanese kanji. (0x95+0x5c)

-- 8.3dev
表'; SELECT 9999;--

-- 8.2.3 : backslash_quote = safe_encoding
sql error 'unsafe use of \' in a string literal' in line 21.

-- 8.2.3 : backslash_quote = on  (SQL injection!)
9999

-- 8.2.3 with patch : backslash_quote = safe_encoding
表'; SELECT 9999;--


Regards,
---
ITAGAKI Takahiro
NTT Open Source Software Center


Attachment

pgsql-patches by date:

Previous
From: Heikki Linnakangas
Date:
Subject: Re:
Next
From: Zdenek Kotala
Date:
Subject: Re: [BUGS] BUG #2969: Inaccuracies in Solaris FAQ