Re: BUG #2424: initdb Did Not Escape the Password - Mailing list pgsql-bugs

From Tom Lane
Subject Re: BUG #2424: initdb Did Not Escape the Password
Date
Msg-id 23763.1148746586@sss.pgh.pa.us
Whole thread Raw
In response to Re: BUG #2424: initdb Did Not Escape the Password  (Bruce Momjian <pgman@candle.pha.pa.us>)
Responses Re: BUG #2424: initdb Did Not Escape the Password
List pgsql-bugs
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Your patch has been added to the PostgreSQL unapplied patches list at:

I don't particularly like this patch, because it is predicated on a
false assumption, namely that initdb uses libpq to talk to the backend.
ISTM PQescapeString is not the thing to use.  (As a concrete example
of why not, there'll be no way to make it use the correct value of
standard_conforming_strings, when that default changes.)

I think the best solution is probably to use the existing escape_quotes
function and to place its output in an E'' string.

I looked through initdb to see if there were any other places where it
was creating SQL string literals that might have escaping problems.
All of the COPY commands it issues are potentially at risk: consider
the possibility that the installation sharedir has a quote or backslash
in its path.  I didn't see any other holes though.

Will fix this later today.

            regards, tom lane

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: Strange random() Correlation
Next
From: Volkan YAZICI
Date:
Subject: Re: Strange random() Correlation