mailing list archives
Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1
From: Robert Haas <robertmhaas () gmail com>
Date: Fri, 30 Mar 2012 11:27:29 -0400
On Fri, Mar 30, 2012 at 8:51 AM, Ludwig Nussel <ludwig.nussel () suse de> wrote:
Postgresql 9.1 turned "standard conforming strings" on by default.
postgresql-jdbc before version 8.2-504 however did not know about that
kind of string and escaped single quotes with a backslash always. When
such an old version of postgresql-jdbc is used with a newer postgresql
server it not only breaks when strings contain single quotes, it also
allows for SQL injections.
The bug is neither in postgresql-jdbc as it was working correctly at the
time it was released, nor is it really postgresql 9.1's fault which I
guess doesn't expect and can't detect such an old jdbc adapter. The
security issue arises when mixing the old adapter and the new server.
Right. This issue has been previously reported to pgsql-security.
The position of the pgsql-jdbc project is that a client version should
be used with a matching server version; therefore, the project views
the proposed combination as an unsupported configuration. Moreover,
PostgreSQL 8.2.x and postgresql-jdbc-8.2-x were desupported in general
as of December 2011. The end of life dates for each major release are
documented on our web site, and the pgsql-jdbc download site
clearly identifies this version of the driver as an "archived version"
rather than a "supported version". As a rule, bug fix and security
updates are not released for versions which are no longer supported;
users are advised to update to a supported version. Users of
pgsql-jdbc are further advised to use a major version that matches the
PostgreSQL server to which they are connecting.
The Enterprise PostgreSQL Company