Re: patch for ECPG (BUG #2956: ECPG does not treat multibyte characters correctly.)

Michael Meskes <meskes(at)postgresql(dot)org> wrote:

> > I found bug in ecpg concerning processing of the multi-byte character-code.
> > I reported as bug#2956 before.
>
> I'm just committing the changes to CVS but only to HEAD because I cannot
> check if my changes broke something. The sources work fine on my system
> and the regression tests pass without a problem. But then I do not have
> a setup similar to yours. Could you please test this?

I tested the change and it worked fine, but I found that this fix
should be backported -- it might cause SQL injections depending on
the server configurations.

The attached patches are backports for the past releases.
I hope you will apply them. Thanks.

[TEST]
1. initdb --no-locale --encoding=UTF8
2. SET client_encoding = sjis in postgresql.conf
3. ecpg test.pgc
4. gcc test.c
5. test < src.sjis.txt

[RESULTS]
The first charactor is a Japanese kanji. (0x95+0x5c)

-- 8.3dev
表'; SELECT 9999;--

-- 8.2.3 : backslash_quote = safe_encoding
sql error 'unsafe use of \' in a string literal' in line 21.

-- 8.2.3 : backslash_quote = on (SQL injection!)
9999

-- 8.2.3 with patch : backslash_quote = safe_encoding
表'; SELECT 9999;--

Regards,
---
ITAGAKI Takahiro
NTT Open Source Software Center