Hello again, sorry for spamming you today, but I promise that this is the last mail; it's the one remaining test case failure for me.
I have some test cases to verify the handling of the obsolete \'
escaping in different locales (cf. CVE-2006-2313).
Up to 9.0, \' was still allowed in safe locales, but not in unsafe ones (sorry
for German error messages, but they just complain about unsafe usage of \'):
----------------------- 8< ----------------
$ printf "set client_encoding='SJIS'; select '\\\\'a'" | psql -Atq template1
FEHLER: unsichere Verwendung von \' in Zeichenkettenkonstante
LINE 1: select '\'a'
^
HINT: Verwenden Sie '', um Quotes in Zeichenketten zu schreiben. \' ist in
bestimmten Client-seitigen Kodierungen unsicher.
$ printf "set client_encoding='UTF8'; select '\\\\'a'" | psql -Atq template1
WARNUNG: nicht standardkonforme Verwendung von \' in Zeichenkettenkonstante
LINE 1: select '\'a'
^
HINT: Verwenden Sie '', um Quotes in Zeichenketten zu schreiben, oder
verwenden Sie die Syntax für Escape-Zeichenketten (E'...').
'a
----------------------- 8< ----------------
(Note the last line here, where it outputs 'a).
9.1 still rejects \' in SJIS, but it now also rejects \' in
UTF-8:
----------------------- 8< ----------------
$ printf "set client_encoding='SJIS'; select '\\\\'a'" | psql -Atq template1
ERROR: unterminated quoted string at or near "'"
LINE 1: select '\'a'
$ printf "set client_encoding='UTF8'; select '\\\\'a'" | psql -Atq template1
ERROR: unterminated quoted string at or near "'"
LINE 1: select '\'a'
----------------------- 8< ----------------
Since HISTORY does not mention this, is that an explicit decision to
finally deprecate the old \' syntax (which would be great, as it makes
this thing a lot more robust and deterministic, but it might be worth
mentioning it in HISTORY), or an unintended side effect?
Thanks,
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
