Home > mailing lists

Re: Incorrect matching of sql/json PASSING variable names - Mailing list pgsql-hackers

From	Amit Langote
Subject	Re: Incorrect matching of sql/json PASSING variable names
Date	June 13 11:04:29
Msg-id	CA+HiwqG4PSQf9E=c7+BzzRvnfQLEmmL=c6dDmio+ztc9_wx69w@mail.gmail.com Whole thread Raw
In response to	Incorrect matching of sql/json PASSING variable names (Amit Langote <amitlangote09@gmail.com>)
Responses	Re: Incorrect matching of sql/json PASSING variable names
List	pgsql-hackers

Tree view

On Thu, Jun 6, 2024 at 6:20 PM Amit Langote <amitlangote09@gmail.com> wrote:
>
> Hi,
>
> Alvaro reported off-list that the following should really fail,
> because the jsonpath expression refers to a PASSING variable that
> doesn't exist:
>
> select json_query('"1"', jsonpath '$xy' passing 2 AS xyz);
>  json_query
> ------------
>  2
> (1 row)
>
> This works because of a bug in GetJsonPathVar() whereby it allows a
> jsonpath expression to reference any prefix of the PASSING variable
> names.
>
> Attached is a patch to fix that.

Here's an updated version that I'll push tomorrow.

--
Thanks, Amit Langote

Attachment

v2-0001-SQL-JSON-Correct-jsonpath-variable-name-matching.patch

pgsql-hackers by date:

From: Michael Paquier
Date: 13 June, 11:01:09
Subject: Re: Doc: fix a description regarding WAL summarizer on glossary page

From: Ashutosh Sharma
Date: 13 June, 11:09:01
Subject: Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

Re: Incorrect matching of sql/json PASSING variable names - Mailing list pgsql-hackers

Attachment

Previous

Next