NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitacf09c6

Barry Lind

committed

Sometimes the third time is the charm. Third try to fix the sql injection

vulnerability. This fix completely removes the ability (hack) of being ableto bind a list of values in an in clause. It was demonstrated that by allowingthat functionality you open up the possibility for certain types ofsql injection attacks. The previous fix attempts all focused on preventingthe insertion of additional sql statements (the semi-colon problem:xxx; any new sql statement here). But that still left the ability tochange the where clause on the current statement or perform a subselectwhich can circumvent applicaiton security logic and/or allow you to callany stored function. Modified Files: jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java

1 parentf0f1375 commitacf09c6Copy full SHA for acf09c6

File tree

1 file changed

+17

-20

lines changed

src/interfaces/jdbc/org/postgresql/jdbc1
- AbstractJdbc1Statement.java

1 file changed

+17

-20

lines changed

`‎src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java`

Lines changed: 17 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@`
`25`	`25`	`importjava.sql.Types;`
`26`	`26`	`importjava.util.Vector;`
`27`	`27`
`28`		`-/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.29 2003/07/24 00:30:39 barry Exp $`
	`28`	`+/* $Header: /cvsroot/pgsql/src/interfaces/jdbc/org/postgresql/jdbc1/Attic/AbstractJdbc1Statement.java,v 1.30 2003/08/07 04:03:13 barry Exp $`
`29`	`29`	`* This class defines methods of the jdbc1 specification. This class is`
`30`	`30`	`* extended by org.postgresql.jdbc2.AbstractJdbc2Statement which adds the jdbc2`
`31`	`31`	`* methods. The real Statement class (for jdbc1) is org.postgresql.jdbc1.Jdbc1Statement`
`@@ -1036,26 +1036,14 @@ public void setString(int parameterIndex, String x, String type) throws SQLExcep`
`1036`	`1036`	`sbuf.setLength(0);`
`1037`	`1037`	`sbuf.ensureCapacity(x.length() + (int)(x.length() /10));`
`1038`	`1038`	`sbuf.append('\'');`
`1039`		`-escapeString(x,sbuf,true);`
	`1039`	`+escapeString(x,sbuf);`
`1040`	`1040`	`sbuf.append('\'');`
`1041`	`1041`	`bind(parameterIndex,sbuf.toString(),type);`
`1042`	`1042`	`}`
`1043`	`1043`	`}`
`1044`	`1044`	`}`
`1045`	`1045`
`1046`		`-privateStringescapeString(Stringp_input) {`
`1047`		`-// use the shared buffer object. Should never clash but this makes`
`1048`		`-// us thread safe!`
`1049`		`-synchronized (sbuf)`
`1050`		`- {`
`1051`		`-sbuf.setLength(0);`
`1052`		`-sbuf.ensureCapacity(p_input.length());`
`1053`		`-escapeString(p_input,sbuf,false);`
`1054`		`-returnsbuf.toString();`
`1055`		`- }`
`1056`		`- }`
`1057`		`-`
`1058`		`-privatevoidescapeString(Stringp_input,StringBufferp_output,booleanp_allowStatementTerminator) {`
	`1046`	`+privatevoidescapeString(Stringp_input,StringBufferp_output) {`
`1059`	`1047`	`for (inti =0 ;i <p_input.length() ; ++i)`
`1060`	`1048`	`{`
`1061`	`1049`	`charc =p_input.charAt(i);`
`@@ -1068,9 +1056,6 @@ private void escapeString(String p_input, StringBuffer p_output, boolean p_allow`
`1068`	`1056`	`break;`
`1069`	`1057`	`case'\0':`
`1070`	`1058`	`thrownewIllegalArgumentException("\\0 not allowed");`
`1071`		`-case';':`
`1072`		`-if (!p_allowStatementTerminator)`
`1073`		`-thrownewIllegalArgumentException("semicolon not allowed");`
`1074`	`1059`	`default:`
`1075`	`1060`	`p_output.append(c);`
`1076`	`1061`	`}`
`@@ -1493,8 +1478,14 @@ public void setObject(int parameterIndex, Object x, int targetSqlType, int scale`
`1493`	`1478`	`caseTypes.INTEGER:`
`1494`	`1479`	`if (xinstanceofBoolean)`
`1495`	`1480`	`bind(parameterIndex,((Boolean)x).booleanValue() ?"1" :"0",PG_BOOLEAN);`
	`1481`	`+elseif (xinstanceofInteger \|\|xinstanceofLong \|\|`
	`1482`	`+xinstanceofDouble \|\|xinstanceofShort \|\|`
	`1483`	`+xinstanceofNumber \|\|xinstanceofFloat )`
	`1484`	`+bind(parameterIndex,x.toString(),PG_INTEGER);`
`1496`	`1485`	`else`
`1497`		`-bind(parameterIndex,escapeString(x.toString()),PG_INTEGER);`
	`1486`	`+//ensure the value is a valid numeric value to avoid`
	`1487`	`+//sql injection attacks`
	`1488`	`+bind(parameterIndex,newBigDecimal(x.toString()).toString(),PG_INTEGER);`
`1498`	`1489`	`break;`
`1499`	`1490`	`caseTypes.TINYINT:`
`1500`	`1491`	`caseTypes.SMALLINT:`
`@@ -1506,8 +1497,14 @@ public void setObject(int parameterIndex, Object x, int targetSqlType, int scale`
`1506`	`1497`	`caseTypes.NUMERIC:`
`1507`	`1498`	`if (xinstanceofBoolean)`
`1508`	`1499`	`bind(parameterIndex, ((Boolean)x).booleanValue() ?"1" :"0",PG_BOOLEAN);`
	`1500`	`+elseif (xinstanceofInteger \|\|xinstanceofLong \|\|`
	`1501`	`+xinstanceofDouble \|\|xinstanceofShort \|\|`
	`1502`	`+xinstanceofNumber \|\|xinstanceofFloat )`
	`1503`	`+bind(parameterIndex,x.toString(),PG_NUMERIC);`
`1509`	`1504`	`else`
`1510`		`-bind(parameterIndex,escapeString(x.toString()),PG_NUMERIC);`
	`1505`	`+//ensure the value is a valid numeric value to avoid`
	`1506`	`+//sql injection attacks`
	`1507`	`+bind(parameterIndex,newBigDecimal(x.toString()).toString(),PG_NUMERIC);`
`1511`	`1508`	`break;`
`1512`	`1509`	`caseTypes.CHAR:`
`1513`	`1510`	`caseTypes.VARCHAR:`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitacf09c6

File tree

1 file changed

1 file changed

`‎src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java`

0 commit comments