Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett

and Dmitry Tkach
 Modified Files:
  Tag: REL7_3_STABLE
 	jdbc/org/postgresql/Driver.java.in
 	jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java

diff --git a/src/interfaces/jdbc/org/postgresql/Driver.java.in b/src/interfaces/jdbc/org/postgresql/Driver.java.in
index 164c1d056b4aec232d461c65324c2a3a3f901387..241c5889de7e2ea1536ecf6ebf47f143696bc925 100644 (file)
--- a/src/interfaces/jdbc/org/postgresql/Driver.java.in
+++ b/src/interfaces/jdbc/org/postgresql/Driver.java.in
@@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver
    }
 
    //The build number should be incremented for every new build
-   private static int m_buildNumber = 111;
+   private static int m_buildNumber = 112;
 
 }

diff --git a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
index 1558e2b50275dfc4211a3be654e57c2f7e4372bf..77f5187d17fb3ea41c2d11877a703c4529a99e10 100644 (file)
--- a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
+++ b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
@@ -8,7 +8,7 @@ import java.util.Vector;
 import org.postgresql.largeobject.*;
 import org.postgresql.util.*;
 
-/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.5 2003/07/22 05:13:05 barry Exp $
+/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.12.2.6 2003/07/23 23:34:31 barry Exp $
  * This class defines methods of the jdbc1 specification.  This class is
  * extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2
  * methods.  The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement
@@ -914,7 +914,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
                sbuf.setLength(0);
                sbuf.ensureCapacity(x.length());
                sbuf.append('\'');
-               escapeString(x, sbuf);
+               escapeString(x, sbuf, true);
                sbuf.append('\'');
                bind(parameterIndex, sbuf.toString(), type);
            }
@@ -928,18 +928,37 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
        {
            sbuf.setLength(0);
            sbuf.ensureCapacity(p_input.length());
-           escapeString(p_input, sbuf);
+           escapeString(p_input, sbuf, false);
            return sbuf.toString();
        }
    }
 
-   private void escapeString(String p_input, StringBuffer p_output) {
+   /*
+    * p_allowStatementTerminator determines if a semi-colon is allowed in the
+    * returned value.  A semi-colon should only be allowed if the resulting 
+    * string will be enclosed in single quotes in a sql string, or will be 
+    * passed by value to the server via a bind thus bypassing the sql parser
+    * on the server.
+    */
+   private void escapeString(String p_input, StringBuffer p_output, boolean p_allowStatementTerminator) {
        for (int i = 0 ; i < p_input.length() ; ++i)
        {
            char c = p_input.charAt(i);
-           if (c == '\\' || c == '\'')
-               p_output.append((char)'\\');
-           p_output.append(c);
+           switch (c)
+           {
+               case '\\':
+               case '\'':
+                   p_output.append('\\');
+                   p_output.append(c);
+                   break;
+               case '\0':
+                   throw new IllegalArgumentException("\\0 not allowed");
+               case ';':
+                   if (!p_allowStatementTerminator)
+                       throw new IllegalArgumentException("semicolon not allowed");
+               default:
+                   p_output.append(c);
+           }
        }
    }