On Tue, 2006-05-30 at 07:58 +0200, Martin Pitt wrote: > > > ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to > > > escape quoting, which makes it vulnerable against this attack with > > > earlier PostgreSQL versions, and will break with the current one > > > (since it disables this method of quote escaping by default in > > > affected client encodings). A quick fix is to change the function to > > > use '' instead of \', but a better fix is to completely replace the > > > loop with an invocation of PQescapeString() from libpq.
Upstream fixes here: http://dovecot.org/list/dovecot-cvs/2006-May/005621.html http://dovecot.org/list/dovecot-cvs/2006-May/005623.html Although my testing hasn't got further than "it compiles" yet..
signature.asc
Description: This is a digitally signed message part
