]> git.pld-linux.org Git - packages/proftpd.git/commitdiff
- fix sql injection
authormisi3k <misi3k@pld-linux.org>
Mon, 7 Jul 2003 18:47:33 +0000 (18:47 +0000)
committercvs2git <feedback@pld-linux.org>
Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
- from debian

Changed files:
    proftpd-mod_sql_postgres.c.diff -> 1.1

proftpd-mod_sql_postgres.c.diff [new file with mode: 0644]

diff --git a/proftpd-mod_sql_postgres.c.diff b/proftpd-mod_sql_postgres.c.diff
new file mode 100644 (file)
index 0000000..a142f4c
--- /dev/null
@@ -0,0 +1,31 @@
+diff -urN proftpd-1.2.5rc1/contrib/mod_sql_postgres.c proftpd-1.2.5rc1-debian/contrib/mod_sql_postgres.c
+--- proftpd-1.2.5rc1/contrib/mod_sql_postgres.c        2003-06-19 15:32:52.000000000 +0200
++++ proftpd-1.2.5rc1-debian/contrib/mod_sql_postgres.c 2003-06-19 15:38:14.000000000 +0200
+@@ -1088,6 +1088,8 @@
+ {
+   conn_entry_t *entry = NULL;
+   db_conn_t *conn = NULL;
++  char *unescaped = NULL;
++  char *escaped = NULL;
+   log_debug(DEBUG_FUNC, _MOD_VERSION ": entering \tcmd_escapestring");
+@@ -1108,9 +1110,17 @@
+   conn = (db_conn_t *) entry->data;
+   /* PostgreSQL has no way to escape strings internally */
++  /* Note: the PQescapeString() function appeared in the C API as of
++   * Postgres-7.2.
++   */
++  unescaped = cmd->argv[1];
++  escaped = (char *) pcalloc(cmd->tmp_pool, sizeof(char) *
++    (strlen(unescaped) * 2) + 1);
++
++  PQescapeString(escaped, unescaped, strlen(unescaped));
+   log_debug(DEBUG_FUNC, _MOD_VERSION ": exiting \tcmd_escapestring");
+-  return mod_create_data(cmd, (void *) cmd->argv[1]);
++  return mod_create_data(cmd, (void *) escaped );
+ }
+ /*
This page took 0.025518 seconds and 4 git commands to generate.