Zuzana Miklankova
parent
da056622a0
commit
99a414ac29
|
|
@ -4,3 +4,4 @@
|
|||
/postgresql-42.2.15-jdbc-src.tar.gz
|
||||
/postgresql-42.2.16-jdbc-src.tar.gz
|
||||
/postgresql-42.2.18-jdbc-src.tar.gz
|
||||
/postgresql-42.2.27-jdbc-src.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,92 +0,0 @@
|
|||
Fix CVE-2022-31197
|
||||
|
||||
Source of this commit and more information about it is here:
|
||||
https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637
|
||||
|
||||
diff --git a/src/main/java/org/postgresql/jdbc/PgResultSet.java b/src/main/java/org/postgresql/jdbc/PgResultSet.java
|
||||
index 42c6dda6..81a5ef1d 100644
|
||||
--- a/src/main/java/org/postgresql/jdbc/PgResultSet.java
|
||||
+++ b/src/main/java/org/postgresql/jdbc/PgResultSet.java
|
||||
@@ -1323,7 +1323,7 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS
|
||||
if (i > 1) {
|
||||
selectSQL.append(", ");
|
||||
}
|
||||
- selectSQL.append(pgmd.getBaseColumnName(i));
|
||||
+ Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
|
||||
}
|
||||
selectSQL.append(" from ").append(onlyTable).append(tableName).append(" where ");
|
||||
|
||||
@@ -1333,7 +1333,8 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS
|
||||
for (int i = 0; i < numKeys; i++) {
|
||||
|
||||
PrimaryKey primaryKey = primaryKeys.get(i);
|
||||
- selectSQL.append(primaryKey.name).append("= ?");
|
||||
+ Utils.escapeIdentifier(selectSQL, primaryKey.name);
|
||||
+ selectSQL.append(" = ?");
|
||||
|
||||
if (i < numKeys - 1) {
|
||||
selectSQL.append(" and ");
|
||||
|
||||
diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
|
||||
new file mode 100644
|
||||
index 00000000..3a4a7e51
|
||||
--- /dev/null
|
||||
+++ b/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
|
||||
@@ -0,0 +1,57 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2022, PostgreSQL Global Development Group
|
||||
+ * See the LICENSE file in the project root for more information.
|
||||
+ */
|
||||
+
|
||||
+package org.postgresql.test.jdbc2;
|
||||
+
|
||||
+import static org.junit.Assert.assertTrue;
|
||||
+
|
||||
+import org.postgresql.test.TestUtil;
|
||||
+
|
||||
+import org.junit.Test;
|
||||
+
|
||||
+import java.sql.ResultSet;
|
||||
+import java.sql.SQLException;
|
||||
+import java.sql.Statement;
|
||||
+import java.sql.Connection;
|
||||
+
|
||||
+public class ResultSetRefreshTest extends BaseTest4 {
|
||||
+ @Test
|
||||
+ public void testWithDataColumnThatRequiresEscaping() throws Exception {
|
||||
+ Connection conn = con;
|
||||
+ TestUtil.dropTable(conn, "refresh_row_bad_ident");
|
||||
+ TestUtil.execute("CREATE TABLE refresh_row_bad_ident (id int PRIMARY KEY, \"1 FROM refresh_row_bad_ident; SELECT 2; SELECT *\" int)",conn);
|
||||
+ TestUtil.execute("INSERT INTO refresh_row_bad_ident (id) VALUES (1), (2), (3)",conn);
|
||||
+
|
||||
+ Statement stmt = conn.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
|
||||
+ ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
|
||||
+ assertTrue(rs.next());
|
||||
+ try {
|
||||
+ rs.refreshRow();
|
||||
+ } catch (SQLException ex) {
|
||||
+ throw new RuntimeException("ResultSet.refreshRow() did not handle escaping data column identifiers", ex);
|
||||
+ }
|
||||
+ rs.close();
|
||||
+ stmt.close();
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void testWithKeyColumnThatRequiresEscaping() throws Exception {
|
||||
+ Connection conn = con;
|
||||
+ TestUtil.dropTable(conn, "refresh_row_bad_ident");
|
||||
+ TestUtil.execute("CREATE TABLE refresh_row_bad_ident (\"my key\" int PRIMARY KEY)",conn);
|
||||
+ TestUtil.execute("INSERT INTO refresh_row_bad_ident VALUES (1), (2), (3)",conn);
|
||||
+
|
||||
+ Statement stmt = conn.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
|
||||
+ ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
|
||||
+ assertTrue(rs.next());
|
||||
+ try {
|
||||
+ rs.refreshRow();
|
||||
+ } catch (SQLException ex) {
|
||||
+ throw new RuntimeException("ResultSet.refreshRow() did not handle escaping key column identifiers", ex);
|
||||
+ }
|
||||
+ rs.close();
|
||||
+ stmt.close();
|
||||
+ }
|
||||
+}
|
||||
|
|
@ -48,13 +48,12 @@
|
|||
|
||||
Summary: JDBC driver for PostgreSQL
|
||||
Name: postgresql-jdbc
|
||||
Version: 42.2.18
|
||||
Release: 6%{?dist}
|
||||
Version: 42.2.27
|
||||
Release: 1%{?dist}
|
||||
License: BSD
|
||||
URL: http://jdbc.postgresql.org/
|
||||
|
||||
Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz
|
||||
Patch0: postgresql-jdbc-CVE-2022-31197.patch
|
||||
|
||||
Provides: pgjdbc = %version-%release
|
||||
|
||||
|
|
@ -100,8 +99,6 @@ This package contains the API Documentation for %{name}.
|
|||
|
||||
mv postgresql-%{version}-jdbc-src/* .
|
||||
|
||||
%patch0 -p1
|
||||
|
||||
# remove any binary libs
|
||||
find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
|
||||
|
||||
|
|
@ -168,6 +165,10 @@ opts="-f"
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Jan 03 2023 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.27-1
|
||||
- rebase to 42.2.27
|
||||
- fix for CVE-2022-41946
|
||||
|
||||
* Tue Oct 11 2022 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.18-6
|
||||
- fix for CVE-2022-31197
|
||||
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1 +1 @@
|
|||
SHA512 (postgresql-42.2.18-jdbc-src.tar.gz) = 694458f9b58a1470f0fd2c77870bf73f21818a5112d446ddabb819730616be7e2f038ed132c970ba4285fb4c956c4e8a888b664270eb6493510d1e14d30a4961
|
||||
SHA512 (postgresql-42.2.27-jdbc-src.tar.gz) = bfcd53e95b8170830526e22c8bbed60f5175826380efd8052e880540dda579fa05c75544b213993868dfdeceb04f4dfa811c846829133699a9dfb0980b0e2e20
|
||||
|
|
|
|||
Loading…
Reference in New Issue