[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1
From: Florian Weimer <fw () deneb ! enyo ! de>
Date: 2012-03-30 20:02:51
Message-ID: 87zkaxq2l0.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]
* Ludwig Nussel:
> Postgresql 9.1 turned "standard conforming strings" on by default[1][2].
> postgresql-jdbc before version 8.2-504 however did not know about that
> kind of string and escaped single quotes with a backslash always. When
> such an old version of postgresql-jdbc is used with a newer postgresql
> server it not only breaks when strings contain single quotes, it also
> allows for SQL injections[3].
By the way, if you want to fix this for some reason, you should
probably include support for the modified BYTEA encoding introduced in
the 9.0 server version, too.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic