| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Oliver Jowett <oliver(at)opencloud(dot)com> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: New builds posted to jdbc.postgresql.org websit for jdbc driver |
| Date: | 2003-07-24 02:19:10 |
| Message-ID: | 14424.1059013150@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Oliver Jowett <oliver(at)opencloud(dot)com> writes:
> On Wed, Jul 23, 2003 at 05:30:52PM -0700, Barry Lind wrote:
>> New 7.3 and Dev builds for the driver are posted to the website. These
>> fix two additional sql injection vulnerabilities reported by Oliver
>> Jowett and Dmitry Tkach.
> Now that it's patched, the one I reported was that you could insert a
> literal \0 via setString() and friends, which the backend treated as "end of
> query", so you could use a string like this:
> "\0Qrollback;begin;insert into testquerynull(sensitive) values (42);commit\0"
> to inject your own query.
FWIW, that won't work anymore in the V3 protocol, whether or not JDBC
has been patched to reject nulls ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joe Conway | 2003-07-24 05:24:10 | Re: the IN clause saga |
| Previous Message | Clyde Wright | 2003-07-24 02:18:36 | psql and jdbc insert discrepencies |