upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-02-12 15:23:16 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
postgresql/src/interfaces
History
Andres Freund 5dc1e42b4f Fix handling of invalidly encoded data in escaping functions 
Previously invalidly encoded input to various escaping functions could lead to
the escaped string getting incorrectly parsed by psql.  To be safe, escaping
functions need to ensure that neither invalid nor incomplete multi-byte
characters can be used to "escape" from being quoted.

Functions which can report errors now return an error in more cases than
before. Functions that cannot report errors now replace invalid input bytes
with a byte sequence that cannot be used to escape the quotes and that is
guaranteed to error out when a query is sent to the server.

The following functions are fixed by this commit:
- PQescapeLiteral()
- PQescapeIdentifier()
- PQescapeString()
- PQescapeStringConn()
- fmtId()
- appendStringLiteral()

Reported-by: Stephen Fewer <stephen_fewer@rapid7.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Backpatch-through: 13
Security: CVE-2025-1094
2025-02-10 10:03:37 -05:00
..
ecpg meson: Add pg_regress_ecpg to ecpg test dependencies 2025-02-04 17:56:19 -05:00
libpq Fix handling of invalidly encoded data in escaping functions 2025-02-10 10:03:37 -05:00
Makefile Fix parallel make when running make install before make all 2011-03-08 23:52:29 +02:00
meson.build Update copyright for 2025 2025-01-01 11:21:55 -05:00