This problem looks to be in the libpq itself, not the pam library module itself.
I could probably extend the module to include the escape check itself. Shouldn't hurt any queries adding that check before making submissions, whether this patch has been added or not. Simple check for formatting should do it. Want to discuss this fix privately or on the list? Or do you just want me to take the package and fix on my own? Also, who would be sponsering my package once I took this over? Would you be doing it or do I need to make a request for a different sponser? Either is fine for me. All depends on _your_ time allowance. > There is a security problem with the way it accesses the database, in that > single quotes are not escaped. > > A discussion of the problem, and a suggested fix, is here: > > http://cert.uni-stuttgart.de/advisories/apache_auth.php > > I myself don't have the time to look into this... > > Regards, > Leon.
