From 515f90998edd9239d314749a1b94d19227d0d54b Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Sun, 21 May 2006 20:11:25 +0000
Subject: [PATCH] Add a new GUC parameter backslash_quote, which determines
 whether the SQL parser will allow "\'" to be used to represent a literal
 quote mark.  The "\'" representation has been deprecated for some time in
 favor of the SQL-standard representation "''" (two single quote marks), but
 it has been used often enough that just disallowing it immediately won't do. 
 Hence backslash_quote allows the settings "on", "off", and "safe_encoding",
 the last meaning to allow "\'" only if client_encoding is a valid server
 encoding.  That is now the default, and the reason is that in encodings such
 as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a multibyte
 character, accepting "\'" allows SQL-injection attacks as per CVE-2006-2314
 (further details will be published after release).  The "on" setting is
 available for backward compatibility, but it must not be used with clients
 that are exposed to untrusted input.

Thanks to Akio Ishida and Yasuo Ohgaki for identifying this security issue.
---
 doc/src/sgml/runtime.sgml                     | 87 ++++++++++++-------
 src/backend/parser/scan.l                     | 35 +++++++-
 src/backend/utils/misc/guc.c                  | 38 ++++++++
 src/backend/utils/misc/postgresql.conf.sample |  3 +-
 src/bin/psql/tab-complete.c                   |  3 +-
 src/include/parser/gramparse.h                | 11 +++
 6 files changed, 142 insertions(+), 35 deletions(-)

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 509bcfa624..a5f7c30e47 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -3490,39 +3490,31 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-regex-flavor" xreflabel="regex_flavor">
-      <term><varname>regex_flavor</varname> (<type>string</type>)</term>
-      <indexterm><primary>regular expressions</></>
+     <varlistentry id="guc-backslash-quote" xreflabel="backslash_quote">
+      <term><varname>backslash_quote</varname> (<type>string</type>)</term>
+      <indexterm><primary>strings</><secondary>backslash quotes</></>
       <indexterm>
-       <primary><varname>regex_flavor</> configuration parameter</primary>
+       <primary><varname>backslash_quote</> configuration parameter</primary>
       </indexterm>
       <listitem>
        <para>
-        The regular expression <quote>flavor</> can be set to
-        <literal>advanced</>, <literal>extended</>, or <literal>basic</>.
-        The default is <literal>advanced</>.  The <literal>extended</>
-        setting may be useful for exact backwards compatibility with
-        pre-7.4 releases of <productname>PostgreSQL</>.  See
-        <xref linkend="posix-syntax-details"> for details.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="guc-sql-inheritance" xreflabel="sql_inheritance">
-      <term><varname>sql_inheritance</varname> (<type>boolean</type>)</term>
-      <indexterm>
-       <primary><varname>sql_inheritance</> configuration parameter</primary>
-      </indexterm>
-      <indexterm><primary>inheritance</></>
-      <listitem>
-       <para>
-        This controls the inheritance semantics, in particular whether
-        subtables are included by various commands by default. They were
-        not included in versions prior to 7.1. If you need the old
-        behavior you can set this variable to off, but in the long run
-        you are encouraged to change your applications to use the
-        <literal>ONLY</literal> key word to exclude subtables. See
-        <xref linkend="ddl-inherit"> for more information about inheritance.
+        This controls whether a quote mark can be represented by
+        <literal>\'</> in a string literal.  The preferred, SQL-standard way
+        to represent a quote mark is by doubling it (<literal>''</>) but
+        <productname>PostgreSQL</> has historically also accepted
+        <literal>\'</>. However, use of <literal>\'</> creates security risks
+        because in some client character set encodings, there are multibyte
+        characters in which the last byte is numerically equivalent to ASCII
+        <literal>\</>.  If client-side code does escaping incorrectly then a
+        SQL-injection attack is possible.  This risk can be prevented by
+        making the server reject queries in which a quote mark appears to be
+        escaped by a backslash.
+        The allowed values of <varname>backslash_quote</> are
+        <literal>on</> (allow <literal>\'</> always),
+        <literal>off</> (reject always), and
+        <literal>safe_encoding</> (allow only if client encoding does not
+        allow ASCII <literal>\</> within a multibyte character).
+        <literal>safe_encoding</> is the default setting.
        </para>
       </listitem>
      </varlistentry>
@@ -3560,6 +3552,43 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'
       </listitem>
      </varlistentry>
 
+     <varlistentry id="guc-regex-flavor" xreflabel="regex_flavor">
+      <term><varname>regex_flavor</varname> (<type>string</type>)</term>
+      <indexterm><primary>regular expressions</></>
+      <indexterm>
+       <primary><varname>regex_flavor</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        The regular expression <quote>flavor</> can be set to
+        <literal>advanced</>, <literal>extended</>, or <literal>basic</>.
+        The default is <literal>advanced</>.  The <literal>extended</>
+        setting may be useful for exact backwards compatibility with
+        pre-7.4 releases of <productname>PostgreSQL</>.  See
+        <xref linkend="posix-syntax-details"> for details.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-sql-inheritance" xreflabel="sql_inheritance">
+      <term><varname>sql_inheritance</varname> (<type>boolean</type>)</term>
+      <indexterm>
+       <primary><varname>sql_inheritance</> configuration parameter</primary>
+      </indexterm>
+      <indexterm><primary>inheritance</></>
+      <listitem>
+       <para>
+        This controls the inheritance semantics, in particular whether
+        subtables are included by various commands by default. They were
+        not included in versions prior to 7.1. If you need the old
+        behavior you can set this variable to off, but in the long run
+        you are encouraged to change your applications to use the
+        <literal>ONLY</literal> key word to exclude subtables. See
+        <xref linkend="ddl-inherit"> for more information about inheritance.
+       </para>
+      </listitem>
+     </varlistentry>
+
      </variablelist>
     </sect3>
     <sect3 id="runtime-config-compatible-clients">
diff --git a/src/backend/parser/scan.l b/src/backend/parser/scan.l
index 828fa82f1d..392f9662ca 100644
--- a/src/backend/parser/scan.l
+++ b/src/backend/parser/scan.l
@@ -35,6 +35,15 @@ extern YYSTYPE yylval;
 static int		xcdepth = 0;	/* depth of nesting in slash-star comments */
 static char    *dolqstart;      /* current $foo$ quote start string */
 
+/*
+ * GUC variables.  This is a DIRECT violation of the warning given at the
+ * head of gram.y, ie flex/bison code must not depend on any GUC variables;
+ * as such, changing their values can induce very unintuitive behavior.
+ * But we shall have to live with it as a short-term thing until the switch
+ * to SQL-standard string syntax is complete.
+ */
+BackslashQuoteType backslash_quote = BACKSLASH_QUOTE_SAFE_ENCODING;
+
 /*
  * literalbuf is used to accumulate literal values when multiple rules
  * are needed to parse a single literal.  Call startlit to reset buffer
@@ -49,6 +58,7 @@ static int		literalalloc;	/* current allocated buffer size */
 static void addlit(char *ytext, int yleng);
 static void addlitchar(unsigned char ychar);
 static char *litbufdup(void);
+static int	pg_err_position(void);
 
 /*
  * When we parse a token that requires multiple lexer rules to process,
@@ -391,6 +401,17 @@ other			.
 					addlit(yytext, yyleng);
 				}
 <xq>{xqescape}  {
+					if (yytext[1] == '\'')
+					{
+						if (backslash_quote == BACKSLASH_QUOTE_OFF ||
+							(backslash_quote == BACKSLASH_QUOTE_SAFE_ENCODING &&
+							 PG_ENCODING_IS_CLIENT_ONLY(pg_get_client_encoding())))
+							ereport(ERROR,
+									(errcode(ERRCODE_INVALID_USE_OF_ESCAPE_CHARACTER),
+									 errmsg("unsafe use of \\' in a string literal"),
+									 errhint("Use '' to write quotes in strings. \\' is insecure in client-only encodings."),
+									 errposition(pg_err_position())));
+					}
 					addlitchar(unescape_single_char(yytext[1]));
 				}
 <xq>{xqoctesc}  {
@@ -613,14 +634,20 @@ other			.
 
 %%
 
-void
-yyerror(const char *message)
+static int
+pg_err_position(void)
 {
 	const char *loc = token_start ? token_start : yytext;
-	int			cursorpos;
 
 	/* in multibyte encodings, return index in characters not bytes */
-	cursorpos = pg_mbstrlen_with_len(scanbuf, loc - scanbuf) + 1;
+	return pg_mbstrlen_with_len(scanbuf, loc - scanbuf) + 1;
+}
+
+void
+yyerror(const char *message)
+{
+	const char *loc = token_start ? token_start : yytext;
+	int			cursorpos = pg_err_position();
 
 	if (*loc == YY_END_OF_BUFFER_CHAR)
 	{
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index b85f81e282..4e5f546d32 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -42,6 +42,7 @@
 #include "optimizer/geqo.h"
 #include "optimizer/paths.h"
 #include "optimizer/prep.h"
+#include "parser/gramparse.h"
 #include "parser/parse_expr.h"
 #include "parser/parse_relation.h"
 #include "parser/scansup.h"
@@ -113,6 +114,7 @@ static bool assign_stage_log_stats(bool newval, bool doit, GucSource source);
 static bool assign_log_stats(bool newval, bool doit, GucSource source);
 static bool assign_transaction_read_only(bool newval, bool doit, GucSource source);
 static const char *assign_canonical_path(const char *newval, bool doit, GucSource source);
+static const char *assign_backslash_quote(const char *newval, bool doit, GucSource source);
 
 
 /*
@@ -169,6 +171,7 @@ static char *log_destination_string;
 static bool phony_autocommit;
 static bool session_auth_is_superuser;
 static double phony_random_seed;
+static char *backslash_quote_string;
 static char *client_encoding_string;
 static char *datestyle_string;
 static char *default_iso_level_string;
@@ -1423,6 +1426,15 @@ static struct config_string ConfigureNamesString[] =
 		"", NULL, NULL
 	},
 
+	{
+		{"backslash_quote", PGC_USERSET, COMPAT_OPTIONS_PREVIOUS,
+			gettext_noop("Sets whether \"\\'\" is allowed in string literals."),
+			gettext_noop("Valid values are ON, OFF, and SAFE_ENCODING.")
+		},
+		&backslash_quote_string,
+		"safe_encoding", assign_backslash_quote, NULL
+	},
+
 	{
 		{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the client's character set encoding."),
@@ -5613,6 +5625,32 @@ assign_log_stats(bool newval, bool doit, GucSource source)
 	return true;
 }
 
+static const char *
+assign_backslash_quote(const char *newval, bool doit, GucSource source)
+{
+	BackslashQuoteType bq;
+	bool	bqbool;
+
+	/*
+	 * Although only "on", "off", and "safe_encoding" are documented,
+	 * we use parse_bool so we can accept all the likely variants of
+	 * "on" and "off".
+	 */
+	if (pg_strcasecmp(newval, "safe_encoding") == 0)
+		bq = BACKSLASH_QUOTE_SAFE_ENCODING;
+	else if (parse_bool(newval, &bqbool))
+	{
+		bq = bqbool ? BACKSLASH_QUOTE_ON : BACKSLASH_QUOTE_OFF;
+	}
+	else
+		return NULL;			/* reject */
+
+	if (doit)
+		backslash_quote = bq;
+
+	return newval;
+}
+
 static bool
 assign_transaction_read_only(bool newval, bool doit, GucSource source)
 {
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 021b732096..61d0bfebf3 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -311,9 +311,10 @@
 # - Previous Postgres Versions -
 
 #add_missing_from = true
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#default_with_oids = true
 #regex_flavor = advanced	# advanced, extended, or basic
 #sql_inheritance = true
-#default_with_oids = true
 
 # - Other Platforms & Clients -
 
diff --git a/src/bin/psql/tab-complete.c b/src/bin/psql/tab-complete.c
index 10a8ede498..2370212a77 100644
--- a/src/bin/psql/tab-complete.c
+++ b/src/bin/psql/tab-complete.c
@@ -512,6 +512,7 @@ psql_completion(char *text, int start, int end)
 		 */
 		"add_missing_from",
 		"australian_timezones",
+		"backslash_quote",
 		"client_encoding",
 		"client_min_messages",
 		"commit_delay",
@@ -1026,7 +1027,7 @@ psql_completion(char *text, int start, int end)
 			  pg_strcasecmp(prev2_wd, "TO") == 0))
 		{
 			static const char *const list_COPY[] =
-			{"BINARY", "OIDS", "DELIMETER", "NULL", "CSV", NULL};
+			{"BINARY", "OIDS", "DELIMITER", "NULL", "CSV", NULL};
 
 			COMPLETE_WITH_LIST(list_COPY);
 		}
diff --git a/src/include/parser/gramparse.h b/src/include/parser/gramparse.h
index 1e21312739..db1e60ee8b 100644
--- a/src/include/parser/gramparse.h
+++ b/src/include/parser/gramparse.h
@@ -18,6 +18,17 @@
 #include "nodes/parsenodes.h"
 
 
+typedef enum
+{
+	BACKSLASH_QUOTE_OFF,
+	BACKSLASH_QUOTE_ON,
+	BACKSLASH_QUOTE_SAFE_ENCODING
+} BackslashQuoteType;
+
+/* GUC variables in scan.l (every one of these is a bad idea :-() */
+extern BackslashQuoteType backslash_quote;
+
+
 /* from parser.c */
 extern int	yylex(void);
 
-- 
2.39.5