Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0a73f69

Browse files
author
Barry Lind
committed
Fix to prevent SQL injection attacks for code calling setObject(int,Object,int)
where Object is a user supplied String and the type is a numeric type(i.e. INTEGER,LONG,etc).Also applied a patch from Kim Ho that fixes compile problems under jdk1.2 Modified Files: jdbc/org/postgresql/Driver.java.in jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
1 parent11cb598 commit0a73f69

File tree

2 files changed

+43
-25
lines changed

2 files changed

+43
-25
lines changed

‎src/interfaces/jdbc/org/postgresql/Driver.java.in‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
* Copyright (c) 2003, PostgreSQL Global Development Group
77
*
88
* IDENTIFICATION
9-
* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/Attic/Driver.java.in,v 1.32 2003/07/21 20:48:31 barry Exp $
9+
* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/Attic/Driver.java.in,v 1.33 2003/07/22 05:17:09 barry Exp $
1010
*
1111
*-------------------------------------------------------------------------
1212
*/
@@ -503,6 +503,6 @@ public class Driver implements java.sql.Driver
503503

504504

505505
//The build number should be incremented for every new build
506-
private static int m_buildNumber =206;
506+
private static int m_buildNumber =207;
507507

508508
}

‎src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java‎

Lines changed: 41 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
importjava.sql.Types;
2626
importjava.util.Vector;
2727

28-
/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.27 2003/07/09 05:12:04 barry Exp $
28+
/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.28 2003/07/22 05:17:09 barry Exp $
2929
* This class defines methods of the jdbc1 specification. This class is
3030
* extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2
3131
* methods. The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement
@@ -1035,22 +1035,37 @@ public void setString(int parameterIndex, String x, String type) throws SQLExcep
10351035
{
10361036
sbuf.setLength(0);
10371037
sbuf.ensureCapacity(x.length() + (int)(x.length() /10));
1038-
inti;
1039-
10401038
sbuf.append('\'');
1041-
for (i =0 ;i <x.length() ; ++i)
1042-
{
1043-
charc =x.charAt(i);
1044-
if (c =='\\' ||c =='\'')
1045-
sbuf.append((char)'\\');
1046-
sbuf.append(c);
1047-
}
1039+
escapeString(x,sbuf);
10481040
sbuf.append('\'');
10491041
bind(parameterIndex,sbuf.toString(),type);
10501042
}
10511043
}
10521044
}
10531045

1046+
privateStringescapeString(Stringp_input) {
1047+
// use the shared buffer object. Should never clash but this makes
1048+
// us thread safe!
1049+
synchronized (sbuf)
1050+
{
1051+
sbuf.setLength(0);
1052+
sbuf.ensureCapacity(p_input.length());
1053+
escapeString(p_input,sbuf);
1054+
returnsbuf.toString();
1055+
}
1056+
}
1057+
1058+
privatevoidescapeString(Stringp_input,StringBufferp_output) {
1059+
for (inti =0 ;i <p_input.length() ; ++i)
1060+
{
1061+
charc =p_input.charAt(i);
1062+
if (c =='\\' ||c =='\'')
1063+
p_output.append((char)'\\');
1064+
p_output.append(c);
1065+
}
1066+
}
1067+
1068+
10541069
/*
10551070
* Set a parameter to a Java array of bytes. The driver converts this
10561071
* to a SQL VARBINARY or LONGVARBINARY (depending on the argument's
@@ -1467,7 +1482,7 @@ public void setObject(int parameterIndex, Object x, int targetSqlType, int scale
14671482
if (xinstanceofBoolean)
14681483
bind(parameterIndex,((Boolean)x).booleanValue() ?"1" :"0",PG_BOOLEAN);
14691484
else
1470-
bind(parameterIndex,x.toString(),PG_INTEGER);
1485+
bind(parameterIndex,escapeString(x.toString()),PG_INTEGER);
14711486
break;
14721487
caseTypes.TINYINT:
14731488
caseTypes.SMALLINT:
@@ -1480,7 +1495,7 @@ public void setObject(int parameterIndex, Object x, int targetSqlType, int scale
14801495
if (xinstanceofBoolean)
14811496
bind(parameterIndex, ((Boolean)x).booleanValue() ?"1" :"0",PG_BOOLEAN);
14821497
else
1483-
bind(parameterIndex,x.toString(),PG_NUMERIC);
1498+
bind(parameterIndex,escapeString(x.toString()),PG_NUMERIC);
14841499
break;
14851500
caseTypes.CHAR:
14861501
caseTypes.VARCHAR:
@@ -1913,15 +1928,12 @@ public String toString()
19131928
}
19141929

19151930
/*
1916-
* There are a lot of setXXX classes which all basically do
1917-
* the same thing.We need a method which actually does the
1918-
* set for us.
1919-
*
1920-
* @param paramIndex the index into the inString
1921-
* @param s a string to be stored
1922-
* @exception SQLException if something goes wrong
1931+
* Note if s is a String it should be escaped by the caller to avoid SQL
1932+
* injection attacks. It is not done here for efficency reasons as
1933+
* most calls to this method do not require escaping as the source
1934+
* of the string is known safe (i.e. Integer.toString())
19231935
*/
1924-
protectedvoidbind(intparamIndex,Objects,Stringtype)throwsSQLException
1936+
privatevoidbind(intparamIndex,Objects,Stringtype)throwsSQLException
19251937
{
19261938
if (paramIndex <1 ||paramIndex >m_binds.length)
19271939
thrownewPSQLException("postgresql.prep.range");
@@ -2072,7 +2084,9 @@ private java.sql.Date dateFromString (String s) throws SQLException
20722084
if (timezoneLocation>7 &&timezoneLocation+3 ==s.length())
20732085
{
20742086
timezone =Integer.parseInt(s.substring(timezoneLocation+1,s.length()));
2075-
localoffset =java.util.Calendar.getInstance().getTimeZone().getOffset(millis);
2087+
localoffset =java.util.Calendar.getInstance().getTimeZone().getRawOffset();
2088+
if (java.util.Calendar.getInstance().getTimeZone().inDaylightTime(newjava.sql.Date(millis)))
2089+
localoffset +=60*60*1000;
20762090
if (s.charAt(timezoneLocation)=='+')
20772091
timezone*=-1;
20782092
}
@@ -2101,7 +2115,9 @@ private java.sql.Time timeFromString (String s) throws SQLException
21012115
if (timezoneLocation != -1 &&timezoneLocation+3 ==s.length())
21022116
{
21032117
timezone =Integer.parseInt(s.substring(timezoneLocation+1,s.length()));
2104-
localoffset =java.util.Calendar.getInstance().getTimeZone().getOffset(millis);
2118+
localoffset =java.util.Calendar.getInstance().getTimeZone().getRawOffset();
2119+
if (java.util.Calendar.getInstance().getTimeZone().inDaylightTime(newjava.sql.Date(millis)))
2120+
localoffset +=60*60*1000;
21052121
if (s.charAt(timezoneLocation)=='+')
21062122
timezone*=-1;
21072123
}
@@ -2146,7 +2162,9 @@ else if (timezoneLocation > 8)
21462162
if (timezoneLocation>8 &&timezoneLocation+3 ==s.length())
21472163
{
21482164
timezone =Integer.parseInt(s.substring(timezoneLocation+1,s.length()));
2149-
localoffset =java.util.Calendar.getInstance().getTimeZone().getOffset(millis);
2165+
localoffset =java.util.Calendar.getInstance().getTimeZone().getRawOffset();
2166+
if (java.util.Calendar.getInstance().getTimeZone().inDaylightTime(newjava.sql.Date(millis)))
2167+
localoffset +=60*60*1000;
21502168
if (s.charAt(timezoneLocation)=='+')
21512169
timezone*=-1;
21522170
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp