From 5326e0af58f1fb0160cb859d77a19be04788df73 Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Fri, 17 Apr 2020 15:24:56 +0200 Subject: [PATCH] quote/escape PG connection parameters --- docs/upgrading.rst | 6 ++++++ modules/gpgsqlbackend/spgsql.cc | 19 ++++++++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/docs/upgrading.rst b/docs/upgrading.rst index a6c5a53de9..f68edf3054 100644 --- a/docs/upgrading.rst +++ b/docs/upgrading.rst @@ -17,6 +17,12 @@ upgrade notes if your version is older than 3.4.2. The in-database format of the ``IPSECKEY`` has changed from 'generic' format to its specialized format. It is recommended to re-transfer, using ``pdns_control retrieve ZONE``, all zones that have ``IPSECKEY`` or ``TYPE45`` records. +PostgreSQL configuration escaping +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +We now correctly quote/escape Postgres connection parameters. +If you used single quotes around your Postgres password because it contained spaces, you now need to remove those quotes. + 4.3.0 to 4.3.1 -------------- diff --git a/modules/gpgsqlbackend/spgsql.cc b/modules/gpgsqlbackend/spgsql.cc index fe6e06517a..26aa3b9fbd 100644 --- a/modules/gpgsqlbackend/spgsql.cc +++ b/modules/gpgsqlbackend/spgsql.cc @@ -277,6 +277,15 @@ private: bool SPgSQL::s_dolog; +static string escapeForPQparam(const string &v) +{ + string ret = v; + boost::replace_all(ret, "\\", "\\\\"); + boost::replace_all(ret, "'", "\\'"); + + return string("'")+ret+string("'"); +} + SPgSQL::SPgSQL(const string &database, const string &host, const string& port, const string &user, const string &password, const string &extra_connection_parameters, const bool use_prepared) { @@ -286,16 +295,16 @@ SPgSQL::SPgSQL(const string &database, const string &host, const string& port, c d_nstatements = 0; if (!database.empty()) - d_connectstr+="dbname="+database; + d_connectstr+="dbname="+escapeForPQparam(database); if (!user.empty()) - d_connectstr+=" user="+user; + d_connectstr+=" user="+escapeForPQparam(user); if(!host.empty()) - d_connectstr+=" host="+host; + d_connectstr+=" host="+escapeForPQparam(host); if(!port.empty()) - d_connectstr+=" port="+port; + d_connectstr+=" port="+escapeForPQparam(port); if(!extra_connection_parameters.empty()) d_connectstr+=" " + extra_connection_parameters; @@ -304,7 +313,7 @@ SPgSQL::SPgSQL(const string &database, const string &host, const string& port, c if(!password.empty()) { d_connectlogstr+=" password="; - d_connectstr+=" password="+password; + d_connectstr+=" password="+escapeForPQparam(password); } d_use_prepared = use_prepared; -- 2.47.2