Bug#590285: pdns-backend-sqlite has incorrect handling of backslash escapes

Sun, 25 Jul 2010 08:09:18 -0700 

Package: pdns-backend-sqlite
Version: 2.9.21.2-1
Severity: important

Backslash escapes are not supported by sqlite
(http://www.sqlite.org/lang_expr.html "Literal Values") but
pdns-backend-sqlite will insert them, and tries to escape single quotes
in SQL with them.

http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/gsqlitebackend/ssqlite.cc?rev=210#L136

As a result, a BIND format zone file that uses \032 to introduce a space
will, when AXFRed to pdns with sqlite, insert a record like "some\\
string\\ with\\ spaces". This will not be returned correctly in DNS.

If you want to see this in action:

BIND:

$ dig +noall +answer -t ptr _http._tcp.atomic-x.co.uk @a.authns.bitfolk.com.
_http._tcp.atomic-x.co.uk. 1800 IN      PTR     
atomic-x\.co\.uk\032Homepage._http._tcp.atomic-x.co.uk.
_http._tcp.atomic-x.co.uk. 1800 IN      PTR     
atomic-x\.co\.uk\032Webmail._http._tcp.atomic-x.co.uk.

PDNS:

$ dig +noall +answer -t ptr _http._tcp.atomic-x.co.uk @b.authns.bitfolk.com.
_http._tcp.atomic-x.co.uk. 1800 IN      PTR     atomic-x\.co\.uk\\\000.
_http._tcp.atomic-x.co.uk. 1800 IN      PTR     atomic-x\.co\.uk\\\000.

Since escaping single quotes is a security precaution, it may also be
possible to introduce a security problem in this manner.

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-23-xen (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages pdns-backend-sqlite depends on:
ii  libc6                  2.7-18lenny4      GNU C Library: Shared libraries
ii  libgcc1                1:4.3.2-1.1       GCC support library
ii  libsqlite0             2.8.17-4          SQLite shared library
ii  libstdc++6             4.3.2-1.1         The GNU Standard C++ Library v3
ii  pdns-server            2.9.21.2-1        extremely powerful and versatile n
ii  sqlite                 2.8.17-4          command line interface for SQLite
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

pdns-backend-sqlite recommends no packages.

pdns-backend-sqlite suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to