Your message dated Sun, 03 Mar 2013 14:48:36 +0000
with message-id <[email protected]>
and subject line Bug#695233: fixed in sqlobject 0.12.4-2.2
has caused the Debian Bug report #695233,
regarding python-sqlobject: SQLObject doesn't escape strings correctly for 
postgresql 9.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
695233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695233
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-sqlobject
Version: 0.12.4-2.1
Severity: important
Tags: patch

Dear Maintainer,

Postgresql 9.1 changed the default value of standard_conforming_strings
to on. This disables treating \ as escape characters by default and 
control characters now need to be explicitly escaping using postgresql's
E'' syntax. SQLObject only added support for E'' escapes in version
1.2.0, so older versions (such as Debian's 0.12.4) do the wrong thing
when used against wheezy's postgresql server. This results in rather
unexpected behaviour when using sqlobject and postgres.

The attached patch backports the relevant changes from SQLObject 1.2.0
to 0.12.4. I've tested this with my application against both postgres
8.4 and 9.1, and, with the patch, it works correctly against both
versions while it fails against 9.1 without the patch.

The postgresql 9.1 release notes
(http://www.postgresql.org/docs/9.1/static/release-9-1.html) do mention
that escaping strings incorectly could lead to security issues, altough
I'm not certain if this will apply to any software in Debian.

"This change can break applications that are not expecting it and do
their own string escaping according to the old rules. The consequences
could be as severe as introducing SQL-injection security holes. Be sure
to test applications that are exposed to untrusted input, to ensure that
they correctly handle single quotes and backslashes in text strings."

The patch probably breaks support for sqlobject and postgresql 7 - I
haven't tested that and I don't think that is a significant concern.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-sqlobject depends on:
ii  python                2.7.3~rc2-1
ii  python-formencode     1.2.4-2
ii  python-pkg-resources  0.6.24-1
ii  python-support        1.0.15

python-sqlobject recommends no packages.

Versions of packages python-sqlobject suggests:
pn  python-kinterbasdb  <none>
pn  python-maxdb        <none>
ii  python-mysqldb      1.2.3-1+b1
ii  python-psycopg2     2.4.5-1
pn  python-sqlite       <none>

-- no debconf information
Index: sqlobject/converters.py
===================================================================
--- sqlobject/converters.py	(revision 4567)
+++ sqlobject/converters.py	(working copy)
@@ -1,6 +1,11 @@
+from array import array
+import datetime
+from decimal import Decimal
 import sys
-from array import array
+import time
+from types import ClassType, InstanceType, NoneType
 
+
 try:
     import mx.DateTime.ISO
     origISOStr = mx.DateTime.ISO.strGMT
@@ -15,17 +20,12 @@
         DateTimeType = None
         DateTimeDeltaType = None
 
-import time
-import datetime
-
 try:
     import Sybase
     NumericType=Sybase.NumericType
 except ImportError:
     NumericType = None
 
-from decimal import Decimal
-from types import ClassType, InstanceType, NoneType
 
 ########################################
 ## Quoting
@@ -90,6 +90,8 @@
         value = value.replace("'", "''")
     else:
         assert 0, "Database %s unknown" % db
+    if db in ('postgres', 'rdbhost') and ('\\' in value):
+        return "E'%s'" % value
     return "'%s'" % value
 
 registerConverter(str, StringLikeConverter)
@@ -198,3 +200,17 @@
         return converter(obj, db)
     else:
         return reprFunc(db)
+
+
+def quote_str(s, db):
+    if db in ('postgres', 'rdbhost') and ('\\' in s):
+        return "E'%s'" % s
+    return "'%s'" % s
+
+def unquote_str(s):
+    if s.upper().startswith("E'") and s.endswith("'"):
+        return s[2:-1]
+    elif s.startswith("'") and s.endswith("'"):
+        return s[1:-1]
+    else:
+        return s
Index: sqlobject/sqlbuilder.py
===================================================================
--- sqlobject/sqlbuilder.py	(revision 4567)
+++ sqlobject/sqlbuilder.py	(working copy)
@@ -70,7 +70,7 @@
 import weakref
 
 import classregistry
-from converters import sqlrepr, registerConverter
+from converters import registerConverter, sqlrepr, quote_str, unquote_str
 
 
 class VersionError(Exception):
@@ -896,18 +896,18 @@
         if isinstance(s, SQLExpression):
             values = []
             if self.prefix:
-                values.append("'%s'" % self.prefix)
+                values.append(quote_str(self.prefix, db))
             s = _quote_like_special(sqlrepr(s, db), db)
             values.append(s)
             if self.postfix:
-                values.append("'%s'" % self.postfix)
+                values.append(quote_str(self.postfix, db))
             if db == "mysql":
                 return "CONCAT(%s)" % ", ".join(values)
             else:
                 return " || ".join(values)
         elif isinstance(s, basestring):
-            s = _quote_like_special(sqlrepr(s, db)[1:-1], db)
-            return "'%s%s%s'" % (self.prefix, s, self.postfix)
+            s = _quote_like_special(unquote_str(sqlrepr(s, db)), db)
+            return quote_str("%s%s%s" % (self.prefix, s, self.postfix), db)
         else:
            raise TypeError, "expected str, unicode or SQLExpression, got %s" % type(s)
 
Index: sqlobject/tests/test_converters.py
===================================================================
--- sqlobject/tests/test_converters.py	(revision 4567)
+++ sqlobject/tests/test_converters.py	(working copy)
@@ -1,9 +1,11 @@
 import sys
 from sqlobject.sqlbuilder import sqlrepr
+from sqlobject.converters import registerConverter, sqlrepr, \
+     quote_str, unquote_str
 from sqlobject.sqlbuilder import SQLExpression, SQLObjectField, \
      Select, Insert, Update, Delete, Replace, \
-     SQLTrueClauseClass, SQLConstant, SQLPrefix, SQLCall, SQLOp
-from sqlobject.converters import registerConverter
+     SQLTrueClauseClass, SQLConstant, SQLPrefix, SQLCall, SQLOp, \
+     _LikeQuoted
 
 class TestClass:
 
@@ -40,23 +42,23 @@
     assert sqlrepr('A String', 'firebird') == "'A String'"
 
 def test_string_newline():
-    assert sqlrepr('A String\nAnother', 'postgres') == "'A String\\nAnother'"
+    assert sqlrepr('A String\nAnother', 'postgres') == "E'A String\\nAnother'"
     assert sqlrepr('A String\nAnother', 'sqlite') == "'A String\nAnother'"
 
 def test_string_tab():
-    assert sqlrepr('A String\tAnother', 'postgres') == "'A String\\tAnother'"
+    assert sqlrepr('A String\tAnother', 'postgres') == "E'A String\\tAnother'"
 
 def test_string_r():
-    assert sqlrepr('A String\rAnother', 'postgres') == "'A String\\rAnother'"
+    assert sqlrepr('A String\rAnother', 'postgres') == "E'A String\\rAnother'"
 
 def test_string_b():
-    assert sqlrepr('A String\bAnother', 'postgres') == "'A String\\bAnother'"
+    assert sqlrepr('A String\bAnother', 'postgres') == "E'A String\\bAnother'"
 
 def test_string_000():
-    assert sqlrepr('A String\000Another', 'postgres') == "'A String\\0Another'"
+    assert sqlrepr('A String\000Another', 'postgres') == "E'A String\\0Another'"
 
 def test_string_():
-    assert sqlrepr('A String\tAnother', 'postgres') == "'A String\\tAnother'"
+    assert sqlrepr('A String\tAnother', 'postgres') == "E'A String\\tAnother'"
     assert sqlrepr('A String\'Another', 'firebird') == "'A String''Another'"
 
 def test_simple_unicode():
@@ -195,3 +197,18 @@
             pass
         else:
             assert sqlrepr(Set([1])) == "(1)"
+
+def test_quote_unquote_str():
+    assert quote_str('test%', 'postgres') == "'test%'"
+    assert quote_str('test%', 'sqlite') == "'test%'"
+    assert quote_str('test\%', 'postgres') == "E'test\\%'"
+    assert quote_str('test\\%', 'sqlite') == "'test\%'"
+    assert unquote_str("'test%'") == 'test%'
+    assert unquote_str("'test\\%'") == 'test\\%'
+    assert unquote_str("E'test\\%'") == 'test\\%'
+
+def test_like_quoted():
+    assert sqlrepr(_LikeQuoted('test'), 'postgres') == "'test'"
+    assert sqlrepr(_LikeQuoted('test'), 'sqlite') == "'test'"
+    assert sqlrepr(_LikeQuoted('test%'), 'postgres') == r"E'test\\%'"
+    assert sqlrepr(_LikeQuoted('test%'), 'sqlite') == r"'test\%'"

--- End Message ---
--- Begin Message ---
Source: sqlobject
Source-Version: 0.12.4-2.2

We believe that the bug you reported is fixed in the latest version of
sqlobject, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Neil Muller <[email protected]> (supplier of updated sqlobject 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 11 Feb 2013 13:03:04 +0200
Source: sqlobject
Binary: python-sqlobject
Architecture: source all
Version: 0.12.4-2.2
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team 
<[email protected]>
Changed-By: Neil Muller <[email protected]>
Description: 
 python-sqlobject - object relational manager providing an object interface to 
your d
Closes: 695233
Changes: 
 sqlobject (0.12.4-2.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix "SQLObject doesn't escape strings correctly for postgresql 9.1":
     new patch postgres_escape_0.12.4 backported from upstream (1.2.0).
     (Closes: #695233)
Checksums-Sha1: 
 de400864026ecadd1a3f0a790d9978cfe4edb5a2 2062 sqlobject_0.12.4-2.2.dsc
 8b6aea3d2779c21ac0bd140024fdab95da1f6b04 7819 
sqlobject_0.12.4-2.2.debian.tar.gz
 d73be7b7275f5b0603305360e34be069f8989661 199770 
python-sqlobject_0.12.4-2.2_all.deb
Checksums-Sha256: 
 b0db8940d856e7da33efb5d464c1978fecd4bf931620593a1e42b722de062513 2062 
sqlobject_0.12.4-2.2.dsc
 8f4f8b367f3e871a1e66bc869fa3310db019cda654ea1e848c64ef07365b2965 7819 
sqlobject_0.12.4-2.2.debian.tar.gz
 e340290f0d20f93c181f5fb86ee41ab47b217b3e04b02cb7194282c92fe89ab7 199770 
python-sqlobject_0.12.4-2.2_all.deb
Files: 
 ff568e6a485a988a98a70da2c2dc9ea1 2062 python optional sqlobject_0.12.4-2.2.dsc
 0f261c6d233f9c42e8f8843bdb540328 7819 python optional 
sqlobject_0.12.4-2.2.debian.tar.gz
 5ba733076f3e8a0e1beea67a10167ee4 199770 python optional 
python-sqlobject_0.12.4-2.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRLLylAAoJEACQ/CG1zRrMCGUQAJ36b3dJMeQqyBztXfuquD7Z
2Synt4POGI6Oi/fjaszIcjpSfgR/hNdQlsy2lJeVb0PR/jfJJhwnNU6WNeHdEQ0s
MD1hhRKfwHlbPmM8gBaID/RxUr4h3N81YeAmMDwNIxtFnoO5RPGQmPaJw4XzAS/c
iradxwdrkXZHHzc6scptzizXnDMwQsExVsCWW9BnUeIRikOtVyaZaj9ZTbVbhy0J
x2oKjkBb4UrKPxnAAUnJMFDhUsZKI4XguWd8MiitX3csu8xrpwj3DGqR/s4rrONH
y53gsMVDfG3ZtoxNiVntPmmiKp0Kyqo5Iiw4kHkxE3XH/m+XPncGUz/rfAPvY2U9
fAM+23y7unSHU3Dubwe0Bi5Nx1pueJjnIYDfyseO8u1X7vtHhov2mLJG8YM6t6ok
u1Uaaph4S2lXbliJ6w0z0VN/PbWaNk5pO+vqTw2ti0Tq5LbXM9C2fF4wBWRH9FGa
HPxuJaLaJYfEGotTwKpBgeVXuGDHLuXsPqPudfIQLPpVC5kX/0y1cDTwocjwMKGV
IlnOqcm5/CbEIi7nMvoTbEk0JVSrpU4LT565+PVNT56j6poF0PHZ8o/LZ3/wHIjw
Sa99bn3VdXthrxWWdPBYajiRJL2qbIOaiuEpKR6GvdRLBtVGYri5CpYxyAevn9my
OZoQP+/GuoEa7RJWwXz3
=gU+k
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team

Reply via email to