Hi Florian, Florian Weimer [2006-05-29 20:49 +0200]: > * Martin Pitt: > > > ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to > > escape quoting, which makes it vulnerable against this attack with > > earlier PostgreSQL versions, and will break with the current one > > (since it disables this method of quote escaping by default in > > affected client encodings). A quick fix is to change the function to > > use '' instead of \', but a better fix is to completely replace the > > loop with an invocation of PQescapeString() from libpq. > > PQescapeString is deprecated because given its interface, the security > bug cannot be closed completely. You really should use > PQescapeStringConn.
Thanks for the reminder, sorry that I forgot that. However, this is just necessary if the application uses several postmaster connections concurrently. With a single connection (which should be the usual case) PQescapeString() and PQescapeBytea() will do the right thing. > Would you add this information to the other bug reports, too? Done. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
