From 8ba1fa7db1f0d5da104f624afae43de272e0c3ed Mon Sep 17 00:00:00 2001 From: Barry Lind Date: Thu, 7 Aug 2003 17:56:27 +0000 Subject: Backport to 7.3. Third try to fix the sql injection vulnerability. This fix completely removes the ability (hack) of being able to bind a list of values in an in clause. It was demonstrated that by allowing that functionality you open up the possibility for certain types of sql injection attacks. The previous fix attempts all focused on preventing the insertion of additional sql statements (the semi-colon problem: xxx; any new sql statement here). But that still left the ability to change the where clause on the current statement or perform a subselect which can circumvent applicaiton security logic and/or allow you to call any stored function. Modified Files: Tag: REL7_3_STABLE jdbc/org/postgresql/Driver.java.in jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java --- src/interfaces/jdbc/org/postgresql/Driver.java.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/interfaces/jdbc/org/postgresql/Driver.java.in') diff --git a/src/interfaces/jdbc/org/postgresql/Driver.java.in b/src/interfaces/jdbc/org/postgresql/Driver.java.in index 241c5889de7..c53f2fd82bf 100644 --- a/src/interfaces/jdbc/org/postgresql/Driver.java.in +++ b/src/interfaces/jdbc/org/postgresql/Driver.java.in @@ -446,6 +446,6 @@ public class Driver implements java.sql.Driver } //The build number should be incremented for every new build - private static int m_buildNumber = 112; + private static int m_buildNumber = 113; } -- cgit v1.2.3