Disable the use of Unicode escapes in string constants (U&'') when
standard_conforming_strings is not on, for security reasons.
This commit is contained in:
Peter Eisentraut
parent
616bceb8cb
commit
40bc4c2605
@ -1,4 +1,4 @@
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.131 2009/04/27 16:27:36 momjian Exp $ -->
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.132 2009/05/05 18:32:17 petere Exp $ -->
|
||||
|
||||
<chapter id="sql-syntax">
|
||||
<title>SQL Syntax</title>
|
||||
@ -499,6 +499,17 @@ U&'d!0061t!+000061' UESCAPE '!'
|
||||
specified.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Also, the Unicode escape syntax for string constants only works
|
||||
when the configuration
|
||||
parameter <xref linkend="guc-standard-conforming-strings"> is
|
||||
turned on. This is because otherwise this syntax could confuse
|
||||
clients that parse the SQL statements to the point that it could
|
||||
lead to SQL injections and similar security issues. If the
|
||||
parameter is set to off, this syntax will be rejected with an
|
||||
error message.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To include the escape character in the string literally, write it
|
||||
twice.
|
||||
|
||||
@ -24,7 +24,7 @@
|
||||
* Portions Copyright (c) 1994, Regents of the University of California
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.151 2009/04/19 21:08:54 tgl Exp $
|
||||
* $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.152 2009/05/05 18:32:17 petere Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -469,6 +469,11 @@ other .
|
||||
startlit();
|
||||
}
|
||||
{xusstart} {
|
||||
if (!standard_conforming_strings)
|
||||
ereport(ERROR,
|
||||
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
||||
errmsg("unsafe use of string constant with Unicode escapes"),
|
||||
errdetail("String constants with Unicode escapes cannot be used when standard_conforming_strings is off.")));
|
||||
SET_YYLLOC();
|
||||
BEGIN(xus);
|
||||
startlit();
|
||||
|
||||
@ -22,6 +22,7 @@ ERROR: syntax error at or near "' - third line'"
|
||||
LINE 3: ' - third line'
|
||||
^
|
||||
-- Unicode escapes
|
||||
SET standard_conforming_strings TO on;
|
||||
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
||||
data
|
||||
------
|
||||
@ -34,6 +35,18 @@ SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
||||
dat\+000061
|
||||
(1 row)
|
||||
|
||||
SELECT U&' \' UESCAPE '!' AS "tricky";
|
||||
tricky
|
||||
--------
|
||||
\
|
||||
(1 row)
|
||||
|
||||
SELECT 'tricky' AS U&"\" UESCAPE '!';
|
||||
\
|
||||
--------
|
||||
tricky
|
||||
(1 row)
|
||||
|
||||
SELECT U&'wrong: \061';
|
||||
ERROR: invalid Unicode escape value at or near "\061'"
|
||||
LINE 1: SELECT U&'wrong: \061';
|
||||
@ -46,6 +59,32 @@ SELECT U&'wrong: +0061' UESCAPE '+';
|
||||
ERROR: invalid Unicode escape character at or near "+'"
|
||||
LINE 1: SELECT U&'wrong: +0061' UESCAPE '+';
|
||||
^
|
||||
SET standard_conforming_strings TO off;
|
||||
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
||||
ERROR: unsafe use of string constant with Unicode escapes
|
||||
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
||||
ERROR: unsafe use of string constant with Unicode escapes
|
||||
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||
SELECT U&' \' UESCAPE '!' AS "tricky";
|
||||
ERROR: unsafe use of string constant with Unicode escapes
|
||||
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||
SELECT 'tricky' AS U&"\" UESCAPE '!';
|
||||
\
|
||||
--------
|
||||
tricky
|
||||
(1 row)
|
||||
|
||||
SELECT U&'wrong: \061';
|
||||
ERROR: unsafe use of string constant with Unicode escapes
|
||||
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||
SELECT U&'wrong: \+0061';
|
||||
ERROR: unsafe use of string constant with Unicode escapes
|
||||
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||
SELECT U&'wrong: +0061' UESCAPE '+';
|
||||
ERROR: unsafe use of string constant with Unicode escapes
|
||||
DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.
|
||||
RESET standard_conforming_strings;
|
||||
--
|
||||
-- test conversions between various string types
|
||||
-- E021-10 implicit casting among the character data types
|
||||
|
||||
@ -17,13 +17,32 @@ SELECT 'first line'
|
||||
AS "Illegal comment within continuation";
|
||||
|
||||
-- Unicode escapes
|
||||
SET standard_conforming_strings TO on;
|
||||
|
||||
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
||||
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
||||
|
||||
SELECT U&' \' UESCAPE '!' AS "tricky";
|
||||
SELECT 'tricky' AS U&"\" UESCAPE '!';
|
||||
|
||||
SELECT U&'wrong: \061';
|
||||
SELECT U&'wrong: \+0061';
|
||||
SELECT U&'wrong: +0061' UESCAPE '+';
|
||||
|
||||
SET standard_conforming_strings TO off;
|
||||
|
||||
SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";
|
||||
SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';
|
||||
|
||||
SELECT U&' \' UESCAPE '!' AS "tricky";
|
||||
SELECT 'tricky' AS U&"\" UESCAPE '!';
|
||||
|
||||
SELECT U&'wrong: \061';
|
||||
SELECT U&'wrong: \+0061';
|
||||
SELECT U&'wrong: +0061' UESCAPE '+';
|
||||
|
||||
RESET standard_conforming_strings;
|
||||
|
||||
--
|
||||
-- test conversions between various string types
|
||||
-- E021-10 implicit casting among the character data types
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user