[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1
From:       Florian Weimer <fw () deneb ! enyo ! de>
Date:       2012-03-30 20:02:51
Message-ID: 87zkaxq2l0.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]

* Ludwig Nussel:

> Postgresql 9.1 turned "standard conforming strings" on by default[1][2].
> postgresql-jdbc before version 8.2-504 however did not know about that
> kind of string and escaped single quotes with a backslash always. When
> such an old version of postgresql-jdbc is used with a newer postgresql
> server it not only breaks when strings contain single quotes, it also
> allows for SQL injections[3].

By the way, if you want to fix this for some reason, you should
probably include support for the modified BYTEA encoding introduced in
the 9.0 server version, too.
[prev in list] [next in list] [prev in thread] [next in thread]