Patch to fix additional SQL injection vulnerabilities reported by Oliver Jowett

and Dmitry Tkach
 Modified Files:
  Tag: REL7_3_STABLE
 	jdbc/org/postgresql/Driver.java.in
 	jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java

diff --git a/src/interfaces/jdbc/org/postgresql/Driver.java.in b/src/interfaces/jdbc/org/postgresql/Driver.java.in
index 164c1d056b4aec232d461c65324c2a3a3f901387..241c5889de7e2ea1536ecf6ebf47f143696bc925 100644 (file)
--- a/src/interfaces/jdbc/org/postgresql/Driver.java.in
+++ b/src/interfaces/jdbc/org/postgresql/Driver.java.in
@@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver
        }
 
        //The build number should be incremented for every new build
-       private static int m_buildNumber = 111;
+       private static int m_buildNumber = 112;
 
 }

diff --git a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
index f41216d68ccc5b69186734ac56abf6b3fa810048..925fc0614f8a8a86f843f2c758afcb4eb0e16e47 100644 (file)
--- a/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
+++ b/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
@@ -914,7 +914,7 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
                                sbuf.setLength(0);
                                sbuf.ensureCapacity(x.length());
                                sbuf.append('\'');
-                               escapeString(x, sbuf);
+                               escapeString(x, sbuf, true);
                                sbuf.append('\'');
                                bind(parameterIndex, sbuf.toString(), type);
                        }
@@ -928,18 +928,37 @@ public abstract class AbstractJdbc1Statement implements org.postgresql.PGStateme
                {
                        sbuf.setLength(0);
                        sbuf.ensureCapacity(p_input.length());
-                       escapeString(p_input, sbuf);
+                       escapeString(p_input, sbuf, false);
                        return sbuf.toString();
                }
        }
 
-       private void escapeString(String p_input, StringBuffer p_output) {
+       /*
+        * p_allowStatementTerminator determines if a semi-colon is allowed in the
+        * returned value.  A semi-colon should only be allowed if the resulting 
+        * string will be enclosed in single quotes in a sql string, or will be 
+        * passed by value to the server via a bind thus bypassing the sql parser
+        * on the server.
+        */
+       private void escapeString(String p_input, StringBuffer p_output, boolean p_allowStatementTerminator) {
                for (int i = 0 ; i < p_input.length() ; ++i)
                {
                        char c = p_input.charAt(i);
-                       if (c == '\\' || c == '\'')
-                               p_output.append((char)'\\');
-                       p_output.append(c);
+                       switch (c)
+                       {
+                           case '\\':
+                           case '\'':
+                                       p_output.append('\\');
+                                       p_output.append(c);
+                                       break;
+                           case '\0':
+                                       throw new IllegalArgumentException("\\0 not allowed");
+                           case ';':
+                                       if (!p_allowStatementTerminator)
+                                               throw new IllegalArgumentException("semicolon not allowed");
+                               default:
+                                       p_output.append(c);
+                       }
                }
        }