Skip to content

Commit

Permalink
Merge pull request 2ndQuadrant#2 from 3nids/schemasafe
Browse files Browse the repository at this point in the history 
`text || regclass`, via the `regclass` to `text` cast, already quotes table identifiers where necessary. The `quote_ident` calls here are unnecessary, and in fact incorrect as they result in quotes that were part of the table quoting becoming part of the identifier name.

Example:

```
create table "I will
hack your');DROP TABLE student;--" (
haha integer
);

SELECT '"I will
hack your'');DROP TABLE student;--"'::regclass::oid;

-- Produces oid 53060 here

regress=> SELECT 'DROP TABLE ' || 53060::oid::regclass;
              ?column?              
------------------------------------
 DROP TABLE "I will                +
 hack your');DROP TABLE student;--"
(1 row)

regress=> SELECT 'DROP TABLE ' || quote_ident(53060::oid::regclass::text);
               ?column?               
--------------------------------------
 DROP TABLE """I will                +
 hack your');DROP TABLE student;--"""
(1 row)
```
  • Loading branch information
@ringerc
ringerc committed Jan 28, 2014
2 parents 7a3fc20 + 7abe129 commit 8996199
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions audit.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,15 +184,15 @@ DECLARE
_q_txt text;
_ignored_cols_snip text = '';
BEGIN
EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_row ON ' || quote_ident(target_table::text);
EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_stm ON ' || quote_ident(target_table::text);
EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_row ON ' || target_table;
EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_stm ON ' || target_table;

IF audit_rows THEN
IF array_length(ignored_cols,1) > 0 THEN
_ignored_cols_snip = ', ' || quote_literal(ignored_cols);
END IF;
_q_txt = 'CREATE TRIGGER audit_trigger_row AFTER INSERT OR UPDATE OR DELETE ON ' ||
quote_ident(target_table::text) ||
target_table ||
' FOR EACH ROW EXECUTE PROCEDURE audit.if_modified_func(' ||
quote_literal(audit_query_text) || _ignored_cols_snip || ');';
RAISE NOTICE '%',_q_txt;
Expand All @@ -202,7 +202,7 @@ BEGIN
END IF;

_q_txt = 'CREATE TRIGGER audit_trigger_stm AFTER ' || stm_targets || ' ON ' ||
quote_ident(target_table::text) ||
target_table ||
' FOR EACH STATEMENT EXECUTE PROCEDURE audit.if_modified_func('||
quote_literal(audit_query_text) || ');';
RAISE NOTICE '%',_q_txt;
Expand Down

0 comments on commit 8996199

Please sign in to comment.