From: Peter van Dijk Date: Fri, 17 Apr 2020 13:24:56 +0000 (+0200) Subject: quote/escape PG connection parameters X-Git-Tag: auth-4.4.0-alpha1~6^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5326e0af58f1fb0160cb859d77a19be04788df73;p=thirdparty%2Fpdns.git quote/escape PG connection parameters --- diff --git a/docs/upgrading.rst b/docs/upgrading.rst index a6c5a53de9..f68edf3054 100644 --- a/docs/upgrading.rst +++ b/docs/upgrading.rst @@ -17,6 +17,12 @@ upgrade notes if your version is older than 3.4.2. The in-database format of the ``IPSECKEY`` has changed from 'generic' format to its specialized format. It is recommended to re-transfer, using ``pdns_control retrieve ZONE``, all zones that have ``IPSECKEY`` or ``TYPE45`` records. +PostgreSQL configuration escaping +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +We now correctly quote/escape Postgres connection parameters. +If you used single quotes around your Postgres password because it contained spaces, you now need to remove those quotes. + 4.3.0 to 4.3.1 -------------- diff --git a/modules/gpgsqlbackend/spgsql.cc b/modules/gpgsqlbackend/spgsql.cc index fe6e06517a..26aa3b9fbd 100644 --- a/modules/gpgsqlbackend/spgsql.cc +++ b/modules/gpgsqlbackend/spgsql.cc @@ -277,6 +277,15 @@ private: bool SPgSQL::s_dolog; +static string escapeForPQparam(const string &v) +{ + string ret = v; + boost::replace_all(ret, "\\", "\\\\"); + boost::replace_all(ret, "'", "\\'"); + + return string("'")+ret+string("'"); +} + SPgSQL::SPgSQL(const string &database, const string &host, const string& port, const string &user, const string &password, const string &extra_connection_parameters, const bool use_prepared) { @@ -286,16 +295,16 @@ SPgSQL::SPgSQL(const string &database, const string &host, const string& port, c d_nstatements = 0; if (!database.empty()) - d_connectstr+="dbname="+database; + d_connectstr+="dbname="+escapeForPQparam(database); if (!user.empty()) - d_connectstr+=" user="+user; + d_connectstr+=" user="+escapeForPQparam(user); if(!host.empty()) - d_connectstr+=" host="+host; + d_connectstr+=" host="+escapeForPQparam(host); if(!port.empty()) - d_connectstr+=" port="+port; + d_connectstr+=" port="+escapeForPQparam(port); if(!extra_connection_parameters.empty()) d_connectstr+=" " + extra_connection_parameters; @@ -304,7 +313,7 @@ SPgSQL::SPgSQL(const string &database, const string &host, const string& port, c if(!password.empty()) { d_connectlogstr+=" password="; - d_connectstr+=" password="+password; + d_connectstr+=" password="+escapeForPQparam(password); } d_use_prepared = use_prepared;