Disable the use of Unicode escapes in string constants (U&'') when

standard_conforming_strings is not on, for security reasons.

Disable the use of Unicode escapes in string constants (U&'') when
standard_conforming_strings is not on, for security reasons.
40bc4c26 · Peter Eisentraut · 616bceb8 · 40bc4c26 · 40bc4c26 · 40bc4c26
Commit 40bc4c26 authored May 05, 2009 by Peter Eisentraut
4 changed files
--- a/doc/src/sgml/syntax.sgml
+++ b/doc/src/sgml/syntax.sgml
-<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.131 2009/04/27 16:27:36 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.132 2009/05/05 18:32:17 petere Exp $ -->
 <chapter id="sql-syntax">
 <title>SQL Syntax</title>
@@ -499,6 +499,17 @@ U&amp;'d!0061t!+000061' UESCAPE '!'
     specified.
    </para>
+    <para>
+     Also, the Unicode escape syntax for string constants only works
+     when the configuration
+     parameter <xref linkend="guc-standard-conforming-strings"> is
+     turned on.  This is because otherwise this syntax could confuse
+     clients that parse the SQL statements to the point that it could
+     lead to SQL injections and similar security issues.  If the
+     parameter is set to off, this syntax will be rejected with an
+     error message.
+    </para>
    <para>
     To include the escape character in the string literally, write it
     twice.

--- a/src/backend/parser/scan.l
+++ b/src/backend/parser/scan.l
@@ -24,7 +24,7 @@
 * Portions Copyright (c) 1994, Regents of the University of California
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.151 2009/04/19 21:08:54 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.152 2009/05/05 18:32:17 petere Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -469,6 +469,11 @@ other			.
 					startlit();
 				}
 {xusstart}		{
+					if (!standard_conforming_strings)
+						ereport(ERROR,
+								(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+								 errmsg("unsafe use of string constant with Unicode escapes"),
+								 errdetail("String constants with Unicode escapes cannot be used when standard_conforming_strings is off.")));
 					SET_YYLLOC();
 					BEGIN(xus);
 					startlit();

--- a/src/test/regress/expected/strings.out
+++ b/src/test/regress/expected/strings.out
@@ -22,6 +22,7 @@ ERROR:  syntax error at or near "' - third line'"
 LINE 3: ' - third line'
        ^
 -- Unicode escapes
+SET standard_conforming_strings TO on;
 SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
 data 
 ------
@@ -34,6 +35,18 @@ SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
 dat\+000061
 (1 row)
+SELECT U&' \' UESCAPE '!' AS "tricky";
+ tricky 
+--------
+  \
+(1 row)
+SELECT 'tricky' AS U&"\" UESCAPE '!';
+   \    
+--------
+ tricky
+(1 row)
 SELECT U&'wrong: \061';
 ERROR:  invalid Unicode escape value at or near "\061'"
 LINE 1: SELECT U&'wrong: \061';
@@ -46,6 +59,32 @@ SELECT U&'wrong: +0061' UESCAPE '+';
 ERROR:  invalid Unicode escape character at or near "+'"
 LINE 1: SELECT U&'wrong: +0061' UESCAPE '+';
                                         ^
+SET standard_conforming_strings TO off;
+SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
+ERROR:  unsafe use of string constant with Unicode escapes
+DETAIL:  String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
+SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
+ERROR:  unsafe use of string constant with Unicode escapes
+DETAIL:  String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
+SELECT U&' \' UESCAPE '!' AS "tricky";
+ERROR:  unsafe use of string constant with Unicode escapes
+DETAIL:  String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
+SELECT 'tricky' AS U&"\" UESCAPE '!';
+   \    
+--------
+ tricky
+(1 row)
+SELECT U&'wrong: \061';
+ERROR:  unsafe use of string constant with Unicode escapes
+DETAIL:  String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
+SELECT U&'wrong: \+0061';
+ERROR:  unsafe use of string constant with Unicode escapes
+DETAIL:  String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
+SELECT U&'wrong: +0061' UESCAPE '+';
+ERROR:  unsafe use of string constant with Unicode escapes
+DETAIL:  String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
+RESET standard_conforming_strings;
 --
 -- test conversions between various string types
 -- E021-10 implicit casting among the character data types

--- a/src/test/regress/sql/strings.sql
+++ b/src/test/regress/sql/strings.sql
@@ -17,13 +17,32 @@ SELECT 'first line'
 	AS "Illegal comment within continuation";
 -- Unicode escapes
+SET standard_conforming_strings TO on;
+SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
+SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
+SELECT U&' \' UESCAPE '!' AS "tricky";
+SELECT 'tricky' AS U&"\" UESCAPE '!';
+SELECT U&'wrong: \061';
+SELECT U&'wrong: \+0061';
+SELECT U&'wrong: +0061' UESCAPE '+';
+SET standard_conforming_strings TO off;
 SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
 SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
+SELECT U&' \' UESCAPE '!' AS "tricky";
+SELECT 'tricky' AS U&"\" UESCAPE '!';
 SELECT U&'wrong: \061';
 SELECT U&'wrong: \+0061';
 SELECT U&'wrong: +0061' UESCAPE '+';
+RESET standard_conforming_strings;
 --
 -- test conversions between various string types
 -- E021-10 implicit casting among the character data types