Re: [HACKERS] Escaping strings for inclusion into SQL queries

[Florian Weimer]

"Joe Conway" <[EMAIL PROTECTED]> writes:

> I found a problem with PQescapeString (I think). Since it escapes
> null bytes to be literally '\0', the following can happen:
> 1. User inputs string value as "<null byte>##" where ## are digits in the
> range of 0 to 7.
> 2. PQescapeString converts this to "\0##"
> 3. Escaped string is used in a context that causes "\0##" to be evaluated as
> an octal escape sequence.

I agree that this is a problem, though it is not possible to do
anything harmful with it.  In addition, it only occurs if there are
any NUL characters in its input, which is very unlikely if you are
using C strings.

The patch below addresses the issue by removing escaping of \0
characters entirely.

> If the goal is to "safely" encode null bytes, and preserve the rest of the
> string as it was entered, I think the null bytes should be escaped as \\000
> (note that if you simply use \000 the same string truncation problem
> occurs).

We can't do that, this would require 4n + 1 bytes of storage for the
result, breaking the interface.

-- 
Florian Weimer                    [EMAIL PROTECTED]
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898


Index: fe-exec.c
===================================================================
RCS file: /home/projects/pgsql/cvsroot/pgsql/src/interfaces/libpq/fe-exec.c,v
retrieving revision 1.110
diff -u -r1.110 fe-exec.c
--- fe-exec.c   2001/09/07 22:02:32     1.110
+++ fe-exec.c   2001/09/11 14:20:10
@@ -59,7 +59,7 @@
 /* ---------------
  * Escaping arbitrary strings to get valid SQL strings/identifiers.
  *
- * Replaces "\\" with "\\\\", "\0" with "\\0", and "'" with "''".
+ * Replaces "\\" with "\\\\" and "'" with "''".
  * length is the length of the buffer pointed to by
  * from.  The buffer at to must be at least 2*length + 1 characters
  * long.  A terminating NUL character is written.
@@ -75,13 +75,6 @@
 
        while (remaining > 0) {
                switch (*source) {
-               case '\0':
-                       *target = '\\';
-                       target++;
-                       *target = '0';
-                       /* target and remaining are updated below. */
-                       break;
-                       
                case '\\':
                        *target = '\\';
                        target++;


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly