oss-sec mailing list archives

Re: postgresql-jdbc 8.1 SQL injection with postgresql server 9.1

From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 30 Mar 2012 22:02:51 +0200

* Ludwig Nussel:

Postgresql 9.1 turned "standard conforming strings" on by default[1][2].
postgresql-jdbc before version 8.2-504 however did not know about that
kind of string and escaped single quotes with a backslash always. When
such an old version of postgresql-jdbc is used with a newer postgresql
server it not only breaks when strings contain single quotes, it also
allows for SQL injections[3].


By the way, if you want to fix this for some reason, you should
probably include support for the modified BYTEA encoding introduced in
the 9.0 server version, too.

Current thread:

postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Ludwig Nussel (Mar 30)
- Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Robert Haas (Mar 30)
  - Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Robert Haas (Mar 30)
- Re: postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Florian Weimer (Mar 30)