Michael Meskes <[EMAIL PROTECTED]> wrote:

> > I found bug in ecpg concerning processing of the multi-byte character-code.
> > I reported as bug#2956 before. 
> I'm just committing the changes to CVS but only to HEAD because I cannot
> check if my changes broke something. The sources work fine on my system
> and the regression tests pass without a problem. But then I do not have
> a setup similar to yours. Could you please test this?

I tested the change and it worked fine, but I found that this fix
should be backported -- it might cause SQL injections depending on
the server configurations.

The attached patches are backports for the past releases.
I hope you will apply them. Thanks.

1. initdb --no-locale --encoding=UTF8
2. SET client_encoding = sjis in postgresql.conf
3. ecpg test.pgc
4. gcc test.c
5. test < src.sjis.txt

The first charactor is a Japanese kanji. (0x95+0x5c)

-- 8.3dev
表'; SELECT 9999;--

-- 8.2.3 : backslash_quote = safe_encoding
sql error 'unsafe use of \' in a string literal' in line 21.

-- 8.2.3 : backslash_quote = on  (SQL injection!)

-- 8.2.3 with patch : backslash_quote = safe_encoding
表'; SELECT 9999;--

ITAGAKI Takahiro
NTT Open Source Software Center

Attachment: test.pgc
Description: Binary data

Attachment: src.sjis.txt
Description: Binary data

Attachment: ecpg-quote_8.0.11-7.4.10.diff
Description: Binary data

Attachment: ecpg-quote_8.1.7.diff
Description: Binary data

Attachment: ecpg-quote_8.2.3.diff
Description: Binary data

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to