Hello all,
A bug has been found in libpq's string escaping functions (which libpqxx
uses internally) that may affect you as well.
The string-escaping functions, which you would access in libpqxx using the
sqlesc() or escape_binary() functions, fail to take encoding into
account--and so may produce the wrong results for certain non-ASCII data.
This can cause applications to fail on some data, but more than that, it's
a security risk.
There are two things that can be done about this. PLEASE DO BOTH IF AT
ALL POSSIBLE:
1. Upgrade libpq, and rebuild your libpqxx using this latest version.
That contains a workaround that should take of the security risk in most
cases, though it's not perfect.
2. Upgrade to the latest libpqxx: 2.6.6, released today. Then, in your
own code, replace all your usage of sqlesc() with equivalent calls to
esc() functions in the transaction classes. This will fix both the
security problem and the failures when escaping strings--but only if you
have upgraded libpq.
More information about the problem, and a list of patched libpq versions,
can be found at:
http://www.postgresql.org/docs/techdocs.52
Expect another libpqxx update soon, introducing a similar replacement
escape_binary(). For now, the regular-string case was considered too
urgent to withhold an update.
For the latest libpqxx download, see http://pqxx.org/ or
http://thaiopensource.org/libpqxx/
Jeroen
_______________________________________________
Libpqxx-general mailing list
[email protected]
http://gborg.postgresql.org/mailman/listinfo/libpqxx-general
