From 16e77740ea9e7f585393e4c5e20495f5ebce8d88 Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Sun, 21 May 2006 20:12:20 +0000
Subject: Add a new GUC parameter backslash_quote, which determines whether the
 SQL parser will allow "\'" to be used to represent a literal quote mark.  The
 "\'" representation has been deprecated for some time in favor of the
 SQL-standard representation "''" (two single quote marks), but it has been
 used often enough that just disallowing it immediately won't do.  Hence
 backslash_quote allows the settings "on", "off", and "safe_encoding", the
 last meaning to allow "\'" only if client_encoding is a valid server
 encoding.  That is now the default, and the reason is that in encodings such
 as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a multibyte
 character, accepting "\'" allows SQL-injection attacks as per CVE-2006-2314
 (further details will be published after release).  The "on" setting is
 available for backward compatibility, but it must not be used with clients
 that are exposed to untrusted input.

Thanks to Akio Ishida and Yasuo Ohgaki for identifying this security issue.
---
 doc/src/sgml/runtime.sgml | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index f77ee8e035a..718e90d8f85 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.7 2003/04/04 00:32:57 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.8 2006/05/21 20:12:20 tgl Exp $
 -->
 
 <Chapter Id="runtime">
@@ -1318,6 +1318,35 @@ env PGOPTIONS='-c geqo=off' psql
       </listitem>
      </varlistentry>
 
+     <varlistentry id="guc-backslash-quote" xreflabel="backslash_quote">
+      <term><varname>BACKSLASH_QUOTE</varname> (<type>string</type>)</term>
+      <indexterm><primary>strings</><secondary>backslash quotes</></>
+      <indexterm>
+       <primary><varname>backslash_quote</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        This controls whether a quote mark can be represented by
+        <literal>\'</> in a string literal.  The preferred, SQL-standard way
+        to represent a quote mark is by doubling it (<literal>''</>) but
+        <productname>PostgreSQL</> has historically also accepted
+        <literal>\'</>. However, use of <literal>\'</> creates security risks
+        because in some client character set encodings, there are multibyte
+        characters in which the last byte is numerically equivalent to ASCII
+        <literal>\</>.  If client-side code does escaping incorrectly then a
+        SQL-injection attack is possible.  This risk can be prevented by
+        making the server reject queries in which a quote mark appears to be
+        escaped by a backslash.
+        The allowed values of <varname>backslash_quote</> are
+        <literal>on</> (allow <literal>\'</> always),
+        <literal>off</> (reject always), and
+        <literal>safe_encoding</> (allow only if client encoding does not
+        allow ASCII <literal>\</> within a multibyte character).
+        <literal>safe_encoding</> is the default setting.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry>
       <term><varname>CLIENT_ENCODING</varname> (<type>string</type>)</term>
       <indexterm><primary>character set encoding</></>
-- 
cgit v1.2.3