security issue.
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.363 2006/06/28 16:00:23 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.364 2006/06/30 13:57:46 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
bit to forbid control=suppress_local_fixups in the acl_not_smtp ACL,
because it is too late at that time, and has no effect.
+PH/07 Changed ${quote_pgsql to quote ' as '' instead of \' because of a
+ security issue with \' (bugzilla #107). I could not use the
+ PQescapeStringConn() function, because it needs a PGconn value as one of
+ its arguments.
+
Exim version 4.62
-----------------
-/* $Cambridge: exim/src/src/lookups/pgsql.c,v 1.4 2006/02/07 11:19:01 ph10 Exp $ */
+/* $Cambridge: exim/src/src/lookups/pgsql.c,v 1.5 2006/06/30 13:57:46 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
does treat the string as "ab%cd". So we can safely quote percent and
underscore. [This is different to MySQL, where you can't do this.]
+The original code quoted single quotes as \' which is documented as valid in
+the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to
+the SQL standard '' way of representing a single quote as data. However, in
+June 2006 there was some security issue with using \' and so this has been
+changed.
+
+[Note: There is a function called PQescapeStringConn() that quotes strings.
+This cannot be used because it needs a PGconn argument (the connection handle).
+Why, I don't know. Seems odd for just string escaping...]
+
Arguments:
s the string to be quoted
opt additional option text or NULL if none
while ((c = *s++) != 0)
{
- if (Ustrchr("\n\t\r\b\'\"\\%_", c) != NULL)
+ if (c == '\'')
+ {
+ *t++ = '\'';
+ *t++ = '\'';
+ }
+ else if (Ustrchr("\n\t\r\b\"\\%_", c) != NULL)
{
*t++ = '\\';
switch(c)
${lookup pgsql {select * from them where id='quote2';}}
${lookup pgsql {select * from them where id='newline';}}
${lookup pgsql {select * from them where id='tab';}}
+${lookup pgsql {select * from them where name='${quote_pgsql:'stquot}';}}
****
exim -d -bh 10.0.0.0
mail from:<a@b>
database lookup required for select * from them where id='tab';
PGSQL query: select * from them where id='tab';
PGSQL using cached connection for localhost/test/CALLER
-lookup yielded: name="x x" id=tab
+lookup yielded: name="x x" id=tab
+search_open: pgsql "NULL"
+ cached open
+search_find: file="NULL"
+ key="select * from them where name='''stquot';" partial=-1 affix=NULL starflags=0
+LRU list:
+internal_search_find: file="NULL"
+ type=pgsql key="select * from them where name='''stquot';"
+database lookup required for select * from them where name='''stquot';
+PGSQL query: select * from them where name='''stquot';
+PGSQL using cached connection for localhost/test/CALLER
+lookup yielded: name='stquot id=quote1
search_tidyup called
close PGSQL connection: localhost/test/CALLER
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
> name="before
after" id=newline
> name="x x" id=tab
+> name='stquot id=quote1
>
**** SMTP testing session as if from host 10.0.0.0
projects / exim.git / commitdiff