Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commita401226

Browse files
committed
Prevent the injection of invalidly encoded strings by PL/Python into PostgreSQL
with a few strategically placed pg_verifymbstr calls.
1 parentab5694e commita401226

File tree

2 files changed

+17
-2
lines changed

2 files changed

+17
-2
lines changed

‎doc/src/sgml/plpython.sgml

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/plpython.sgml,v 1.45 2010/03/13 20:55:05 petere Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/plpython.sgml,v 1.46 2010/03/18 19:43:03 petere Exp $ -->
22

33
<chapter id="plpython">
44
<title>PL/Python - Python Procedural Language</title>
@@ -340,6 +340,17 @@ $$ LANGUAGE plpythonu;
340340
builtin <literal>str</literal>, and the result is passed to the
341341
input function of the PostgreSQL data type.
342342
</para>
343+
344+
<para>
345+
Strings in Python 2 are required to be in the PostgreSQL server
346+
encoding when they are passed to PostgreSQL. Strings that are
347+
not valid in the current server encoding will raise an error,
348+
but not all encoding mismatches can be detected, so garbage
349+
data can still result when this is not done correctly. Unicode
350+
strings are converted to the correct encoding automatically, so
351+
it can be safer and more convenient to use those. In Python 3,
352+
all strings are Unicode strings.
353+
</para>
343354
</listitem>
344355

345356
<listitem>

‎src/pl/plpython/plpython.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/**********************************************************************
22
* plpython.c - python as a procedural language for PostgreSQL
33
*
4-
*$PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.140 2010/03/1813:23:56 petere Exp $
4+
*$PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.141 2010/03/1819:43:03 petere Exp $
55
*
66
*********************************************************************
77
*/
@@ -2174,6 +2174,7 @@ PLyObject_ToDatum(PLyTypeInfo *info,
21742174
errmsg("could not convert Python object into cstring: Python string representation appears to contain null bytes")));
21752175
elseif (slen>plen)
21762176
elog(ERROR,"could not convert Python object into cstring: Python string longer than reported length");
2177+
pg_verifymbstr(plrv_sc,slen, false);
21772178
rv=InputFunctionCall(&arg->typfunc,plrv_sc,arg->typioparam,-1);
21782179
}
21792180
PG_CATCH();
@@ -2871,6 +2872,7 @@ PLy_spi_prepare(PyObject *self, PyObject *args)
28712872
}
28722873
}
28732874

2875+
pg_verifymbstr(query,strlen(query), false);
28742876
plan->plan=SPI_prepare(query,plan->nargs,plan->types);
28752877
if (plan->plan==NULL)
28762878
elog(ERROR,"SPI_prepare failed: %s",
@@ -3078,6 +3080,7 @@ PLy_spi_execute_query(char *query, long limit)
30783080
oldcontext=CurrentMemoryContext;
30793081
PG_TRY();
30803082
{
3083+
pg_verifymbstr(query,strlen(query), false);
30813084
rv=SPI_execute(query,PLy_curr_procedure->fn_readonly,limit);
30823085
}
30833086
PG_CATCH();
@@ -3353,6 +3356,7 @@ PLy_output(volatile int level, PyObject *self, PyObject *args)
33533356
oldcontext=CurrentMemoryContext;
33543357
PG_TRY();
33553358
{
3359+
pg_verifymbstr(sv,strlen(sv), false);
33563360
elog(level,"%s",sv);
33573361
}
33583362
PG_CATCH();

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp