Merge branch 'security/zf2015-02-2.3'

ZF2015-02 fixes

CHANGELOG.md

@@ -1,5 +1,14 @@
 # CHANGELOG
 
+## 2.3.5 (TBD)
+
+### SECURITY UPDATES
+
+- **ZF2015-02:** `Zend\Db\Adapter\Platform\Postgresql` was incorrectly using
+  `\\` to escape double quotes in identifiers and values, which could lead to
+  SQL injection vectors. We have provided patches that use proper escaping. If
+  you use Postgresql with Zend Framework 2, we recommend upgrading immediately.
+
 ## 2.3.4 (2015-01-14)
 
 - [3758: partialLoop/partial View Helper can not be nested when using setObjectKey](https://github.com/zendframework/zf2/issues/3758)
@@ -703,6 +712,15 @@
 - [5943: Fixed route matcher test](https://github.com/zendframework/zf2/pull/5943)
 - [5951: Fix console mixed case optional value params](https://github.com/zendframework/zf2/pull/5951)
 
+## 2.2.10 (2015-02-18)
+
+### SECURITY UPDATES
+
+- **ZF2015-02:** `Zend\Db\Adapter\Platform\Postgresql` was incorrectly using
+  `\\` to escape double quotes in identifiers and values, which could lead to
+  SQL injection vectors. We have provided patches that use proper escaping. If
+  you use Postgresql with Zend Framework 2, we recommend upgrading immediately.
+
 ## 2.2.9 (2015-01-14)
 
 ### SECURITY UPDATES

README.md

@@ -19,6 +19,13 @@ DD MMM YYYY
 
 ### UPDATES IN 2.3.5
 
+This release contains security updates:
+
+- **ZF2015-02:** `Zend\Db\Adapter\Platform\Postgresql` was incorrectly using
+  `\\` to escape double quotes in identifiers and values, which could lead to
+  SQL injection vectors. We have provided patches that use proper escaping. If
+  you use Postgresql with Zend Framework 2, we recommend upgrading immediately.
+
 Please see [CHANGELOG.md](CHANGELOG.md).
 
 ### SYSTEM REQUIREMENTS

library/Zend/Db/Adapter/Platform/Postgresql.php

@@ -73,7 +73,7 @@ public function getQuoteIdentifierSymbol()
      */
     public function quoteIdentifier($identifier)
     {
-        return '"' . str_replace('"', '\\' . '"', $identifier) . '"';
+        return '"' . str_replace('"', '""', $identifier) . '"';
     }
 
     /**
@@ -84,7 +84,7 @@ public function quoteIdentifier($identifier)
      */
     public function quoteIdentifierChain($identifierChain)
     {
-        $identifierChain = str_replace('"', '\\"', $identifierChain);
+        $identifierChain = str_replace('"', '""', $identifierChain);
         if (is_array($identifierChain)) {
             $identifierChain = implode('"."', $identifierChain);
         }
@@ -122,7 +122,7 @@ public function quoteValue($value)
             'Attempting to quote a value in ' . __CLASS__ . ' without extension/driver support '
                 . 'can introduce security vulnerabilities in a production environment.'
         );
-        return '\'' . addcslashes($value, "\x00\n\r\\'\"\x1a") . '\'';
+        return 'E\'' . addcslashes($value, "\x00\n\r\\'\"\x1a") . '\'';
     }
 
     /**
@@ -144,7 +144,7 @@ public function quoteTrustedValue($value)
         if ($this->resource instanceof \PDO) {
             return $this->resource->quote($value);
         }
-        return '\'' . addcslashes($value, "\x00\n\r\\'\"\x1a") . '\'';
+        return 'E\'' . addcslashes($value, "\x00\n\r\\'\"\x1a") . '\'';
     }
 
     /**
@@ -204,7 +204,7 @@ public function quoteIdentifierInFragment($identifier, array $safeWords = array(
                 case 'as':
                     break;
                 default:
-                    $parts[$i] = '"' . str_replace('"', '\\' . '"', $part) . '"';
+                    $parts[$i] = '"' . str_replace('"', '""' . '"', $part) . '"';
             }
         }
         return implode('', $parts);

tests/ZendTest/Db/Adapter/Platform/PostgresqlTest.php

@@ -49,6 +49,7 @@ public function testGetQuoteIdentifierSymbol()
     public function testQuoteIdentifier()
     {
         $this->assertEquals('"identifier"', $this->platform->quoteIdentifier('identifier'));
+        $this->assertEquals('"identifier ""with"" double-quotes"', $this->platform->quoteIdentifier('identifier "with" double-quotes'));
     }
 
     /**
@@ -59,6 +60,7 @@ public function testQuoteIdentifierChain()
         $this->assertEquals('"identifier"', $this->platform->quoteIdentifierChain('identifier'));
         $this->assertEquals('"identifier"', $this->platform->quoteIdentifierChain(array('identifier')));
         $this->assertEquals('"schema"."identifier"', $this->platform->quoteIdentifierChain(array('schema','identifier')));
+        $this->assertEquals('"schema"."identifier ""with"" double-quotes"', $this->platform->quoteIdentifierChain(array('schema','identifier "with" double-quotes')));
     }
 
     /**
@@ -86,12 +88,12 @@ public function testQuoteValue()
      */
     public function testQuoteTrustedValue()
     {
-        $this->assertEquals("'value'", $this->platform->quoteTrustedValue('value'));
-        $this->assertEquals("'Foo O\\'Bar'", $this->platform->quoteTrustedValue("Foo O'Bar"));
-        $this->assertEquals('\'\\\'; DELETE FROM some_table; -- \'', $this->platform->quoteTrustedValue('\'; DELETE FROM some_table; -- '));
+        $this->assertEquals("E'value'", $this->platform->quoteTrustedValue('value'));
+        $this->assertEquals("E'Foo O\\'Bar'", $this->platform->quoteTrustedValue("Foo O'Bar"));
+        $this->assertEquals('E\'\\\'; DELETE FROM some_table; -- \'', $this->platform->quoteTrustedValue('\'; DELETE FROM some_table; -- '));
 
         //                   '\\\'; DELETE FROM some_table; -- '  <- actual below
-        $this->assertEquals("'\\\\\\'; DELETE FROM some_table; -- '", $this->platform->quoteTrustedValue('\\\'; DELETE FROM some_table; -- '));
+        $this->assertEquals("E'\\\\\\'; DELETE FROM some_table; -- '", $this->platform->quoteTrustedValue('\\\'; DELETE FROM some_table; -- '));
     }
 
     /**
@@ -103,7 +105,7 @@ public function testQuoteValueList()
             'PHPUnit_Framework_Error',
             'Attempting to quote a value in Zend\Db\Adapter\Platform\Postgresql without extension/driver support can introduce security vulnerabilities in a production environment'
         );
-        $this->assertEquals("'Foo O\\'Bar'", $this->platform->quoteValueList("Foo O'Bar"));
+        $this->assertEquals("'Foo O\'\'Bar'", $this->platform->quoteValueList("Foo O'Bar"));
     }
 
     /**