Hi again, Martin Pitt [2006-06-10 18:03 +0200]: > Olivier Bornet [2006-06-08 12:30 +0200]: > > using version 7.4.7-6sarge2 of postgresql-contrib cause trouble in > > database replication using /usr/lib/postgresql/bin/DBMirror.pl > > Thanks for your report. I forwarded it upstream since I'm unsure how > to fix it properly (and I never used DBMirror myself).
Upstream confirmed my reply in the last mail in [1]: the complete escaping logic in DBMirror.pl is seriously screwew. [1] http://archives.postgresql.org/pgsql-bugs/2006-06/msg00065.php > > The problem I have found is if there is a ' character (the single quote) > > in the data. In this case, the single quote (') is replaced by two > > single quotes ('') in the table PendingData. This cause the replication > > process to stop with a message "Error in PendingData Sequence Id XXX". > > Actually escaping a quote (') with '' instead of \' is one of the key > changes of this security update, since \' is prone to an SQL injection > attack in some cases. Your patch essentialy reverts that, so I think > it is not the correct solution. Let's hope that upstream has a better > idea. I can revert the security patch for DBMirror.pl, so that it will only break if you use one of the affected client encodings (which should be the minority of users, though). Since PostgreSQL now rejects \' escaping in these encodings, it wouldn't reopen the hole either. I'm going to try out DBMirror.pl myself, I guess. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
