1. 23 May, 2006 4 commits
  2. 22 May, 2006 4 commits
  3. 21 May, 2006 6 commits
    • Tom Lane's avatar
      Update release notes for upcoming releases. · e9cc5302
      Tom Lane authored
      e9cc5302
    • Bruce Momjian's avatar
      c6aa53e8
    • Tom Lane's avatar
      Fix errors in fortuna PRNG reseeding logic that could cause a predictable · 5cf07901
      Tom Lane authored
      session key to be selected by pgp_sym_encrypt() in some cases.  This only
      affects non-OpenSSL-using builds.  Marko Kreen
      5cf07901
    • Tom Lane's avatar
      Modify libpq's string-escaping routines to be aware of encoding considerations · 515112f9
      Tom Lane authored
      and standard_conforming_strings.  The encoding changes are needed for proper
      escaping in multibyte encodings, as per the SQL-injection vulnerabilities
      noted in CVE-2006-2313 and CVE-2006-2314.  Concurrent fixes are being applied
      to the server to ensure that it rejects queries that may have been corrupted
      by attempted SQL injection, but this merely guarantees that unpatched clients
      will fail rather than allow injection.  An actual fix requires changing the
      client-side code.  While at it we have also fixed these routines to understand
      about standard_conforming_strings, so that the upcoming changeover to SQL-spec
      string syntax can be somewhat transparent to client code.
      
      Since the existing API of PQescapeString and PQescapeBytea provides no way to
      inform them which settings are in use, these functions are now deprecated in
      favor of new functions PQescapeStringConn and PQescapeByteaConn.  The new
      functions take the PGconn to which the string will be sent as an additional
      parameter, and look inside the connection structure to determine what to do.
      So as to provide some functionality for clients using the old functions,
      libpq stores the latest encoding and standard_conforming_strings values
      received from the backend in static variables, and the old functions consult
      these variables.  This will work reliably in clients using only one Postgres
      connection at a time, or even multiple connections if they all use the same
      encoding and string syntax settings; which should cover many practical
      scenarios.
      
      Clients that use homebrew escaping methods, such as PHP's addslashes()
      function or even hardwired regexp substitution, will require extra effort
      to fix :-(.  It is strongly recommended that such code be replaced by use of
      PQescapeStringConn/PQescapeByteaConn if at all feasible.
      515112f9
    • Tom Lane's avatar
      Add a new GUC parameter backslash_quote, which determines whether the SQL · b3eb4ea5
      Tom Lane authored
      parser will allow "\'" to be used to represent a literal quote mark.  The
      "\'" representation has been deprecated for some time in favor of the
      SQL-standard representation "''" (two single quote marks), but it has been
      used often enough that just disallowing it immediately won't do.  Hence
      backslash_quote allows the settings "on", "off", and "safe_encoding",
      the last meaning to allow "\'" only if client_encoding is a valid server
      encoding.  That is now the default, and the reason is that in encodings
      such as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a
      multibyte character, accepting "\'" allows SQL-injection attacks as per
      CVE-2006-2314 (further details will be published after release).  The
      "on" setting is available for backward compatibility, but it must not be
      used with clients that are exposed to untrusted input.
      
      Thanks to Akio Ishida and Yasuo Ohgaki for identifying this security issue.
      b3eb4ea5
    • Tom Lane's avatar
      Change the backend to reject strings containing invalidly-encoded multibyte · c61a2f58
      Tom Lane authored
      characters in all cases.  Formerly we mostly just threw warnings for invalid
      input, and failed to detect it at all if no encoding conversion was required.
      The tighter check is needed to defend against SQL-injection attacks as per
      CVE-2006-2313 (further details will be published after release).  Embedded
      zero (null) bytes will be rejected as well.  The checks are applied during
      input to the backend (receipt from client or COPY IN), so it no longer seems
      necessary to check in textin() and related routines; any string arriving at
      those functions will already have been validated.  Conversion failure
      reporting (for characters with no equivalent in the destination encoding)
      has been cleaned up and made consistent while at it.
      
      Also, fix a few longstanding errors in little-used encoding conversion
      routines: win1251_to_iso, win866_to_iso, euc_tw_to_big5, euc_tw_to_mic,
      mic_to_euc_tw were all broken to varying extents.
      
      Patches by Tatsuo Ishii and Tom Lane.  Thanks to Akio Ishida and Yasuo Ohgaki
      for identifying the security issues.
      c61a2f58
  4. 19 May, 2006 13 commits
  5. 18 May, 2006 13 commits