git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Sat, 15 Feb 2025 21:20:21 +0000 (16:20 -0500)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Sat, 15 Feb 2025 21:20:21 +0000 (16:20 -0500)
commit	9f45e6a91d8460ac0b1f30e6ae3eefb185b8d0ab
tree	3ab83c94f6a248072e576679ce843ce6160e504c	tree
parent	2a8a00674e973dec4d7d74d5e16c7d7cdedf2be5	commit \| diff

Make escaping functions retain trailing bytes of an invalid character.

Instead of dropping the trailing byte(s) of an invalid or incomplete
multibyte character, replace only the first byte with a known-invalid
sequence, and process the rest normally. This seems less likely to
confuse incautious callers than the behavior adopted in 5dc1e42b4.

While we're at it, adjust PQescapeStringInternal to produce at most
one bleat about invalid multibyte characters per string. This
matches the behavior of PQescapeInternal, and avoids the risk of
producing tons of repetitive junk if a long string is simply given
in the wrong encoding.

This is a followup to the fixes for CVE-2025-1094, and should be
included if cherry-picking those fixes.

Author: Andres Freund <andres@anarazel.de>
Co-authored-by: Tom Lane <tgl@sss.pgh.pa.us>
Reported-by: Jeff Davis <pgsql@j-davis.com>
Discussion: https://postgr.es/m/20250215012712.45@rfd.leadboat.com
Backpatch-through: 13

src/fe_utils/string_utils.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-exec.c		diff \| blob \| blame \| history