mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-08-22 16:33:25 +02:00
54549d8dc4
> null bytes to be literally '\0', the following can happen: > 1. User inputs string value as "<null byte>##" where ## are digits in the > range of 0 to 7. > 2. PQescapeString converts this to "\0##" > 3. Escaped string is used in a context that causes "\0##" to be evaluated as > an octal escape sequence. I agree that this is a problem, though it is not possible to do anything harmful with it. In addition, it only occurs if there are any NUL characters in its input, which is very unlikely if you are using C strings. The patch below addresses the issue by removing escaping of \0 characters entirely. > If the goal is to "safely" encode null bytes, and preserve the rest of the > string as it was entered, I think the null bytes should be escaped as \\000 > (note that if you simply use \000 the same string truncation problem > occurs). We can't do that, this would require 4n + 1 bytes of storage for the result, breaking the interface. Florian Weimer |
||
|---|---|---|
| ChangeLogs | ||
| config | ||
| contrib | ||
| doc | ||
| src | ||
| aclocal.m4 | ||
| configure | ||
| configure.in | ||
| COPYRIGHT | ||
| GNUmakefile.in | ||
| HISTORY | ||
| INSTALL | ||
| Makefile | ||
| README | ||
| register.txt | ||
PostgreSQL Data Base Management System (formerly known as Postgres, then as Postgres95). This directory contains the development version of 7.2 of the PostgreSQL database server. The server is not 100% ANSI SQL compliant, but it gets closer with every release. After you unzip and untar the distribution file, look at file INSTALL for the installation notes and file HISTORY for the changes. The latest version of this software may be obtained at ftp://ftp.postgresql.org/pub/. For more information look at our WWW home page located at http://www.postgreSQL.org/. PostgreSQL is not public domain software. It is copyrighted by the University of California but may be used according to the licensing terms of the the copyright below: ------------------------------------------------------------------------ POSTGRES95 Data Base Management System (formerly known as Postgres, then as Postgres95). Copyright (c) 1994-7 Regents of the University of California Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies. IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.