[Psycopg] copy_from doesn't handle specifying null character properly
Federico Di Gregorio
fog at initd.org
Sat Jul 19 15:09:35 CEST 2008
Il giorno ven, 18/07/2008 alle 17.14 +1000, Alejandro Dubrovsky ha
scritto:
> Hi all,
>
> I'll make it short:
>
> cursor.copy_from(somefile, 'sometable')
> works in cases where
> cursor.copy_from(somefile, 'sometable', null='\\N')
> doesn't. This is in bzr trunk (or whatever head is called in bzr)
>
>
> It does work with the following:
>
> cursor.copy_from(somefile, 'sometable', null=r'\\N')
> or
> cursor.copy_from(somefile, 'sometable', null='\\\\N')
>
>
> psycopg2 sends the following to postgres (from the debug output):
>
> ...testsimple FROM stdin USING DELIMITERS ' ' WITH NULL AS '\N'
>
> which postgres sort of interprets as N (eating the escape). psycopg2
> should escape the string before sending it to postgres.
>
> In some possible configurations, this could be a security hole. If
> input from the user is passed to psycopg2 as the null parameter in the
> very reasonable assumption that psycopg2 should escape those values,
> something like null="'; <malicious code> where '' = '" would likely get
Yes, psycopg should quote that data. I'llfix this problem ASAP.
federico
--
Federico Di Gregorio http://people.initd.org/fog
Debian GNU/Linux Developer fog at debian.org
INIT.D Developer fog at initd.org
If we are going to teach "creation science" as an alternative to
evolution, then we should also teach the stork theory as an
alternative to biological reproduction. -- Judith Hayes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Questa ? una parte del messaggio firmata digitalmente
URL: <http://lists.initd.org/pipermail/psycopg/attachments/20080719/5e747a4d/attachment.pgp>
More information about the Psycopg
mailing list