]> git.ipfire.org Git - thirdparty/postgresql.git/commit
projects / thirdparty / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1b637d7) | patch
Backport to 7.3. Third try to fix the sql injection
authorBarry Lind <barry@xythos.com>
Thu, 7 Aug 2003 17:56:27 +0000 (17:56 +0000)
committerBarry Lind <barry@xythos.com>
Thu, 7 Aug 2003 17:56:27 +0000 (17:56 +0000)
commit8ba1fa7db1f0d5da104f624afae43de272e0c3ed
treef7655b93f90ca83391efd0c26e4a30620d207d79tree | snapshot
parent1b637d7cbebfaec15a43275d4419b5a90864384bcommit | diff
Backport to 7.3.  Third try to fix the sql injection
vulnerability.  This fix completely removes the ability (hack) of being able
to bind a list of values in an in clause.  It was demonstrated that by allowing
that functionality you open up the possibility for certain types of
sql injection attacks.  The previous fix attempts all focused on preventing
the insertion of additional sql statements (the semi-colon problem:
xxx; any new sql statement here).  But that still left the ability to
change the where clause on the current statement or perform a subselect
which can circumvent applicaiton security logic and/or allow you to call
any stored function.

 Modified Files:
  Tag: REL7_3_STABLE
jdbc/org/postgresql/Driver.java.in
  jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
src/interfaces/jdbc/org/postgresql/Driver.java.in diff | blob | blame | history
src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java diff | blob | blame | history
Mirror of https://git.postgresql.org/git/postgresql.git