From 376d2ec0874144ee64e21ca79362793f116a381c Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 30 Oct 2015 14:54:17 +0000 Subject: [PATCH] Lookups: Do not escape percent or underbar in the ${quote_pgsql: } operator. Bug 1706 --- doc/doc-docbook/spec.xfpt | 7 +++---- doc/doc-txt/ChangeLog | 3 +++ src/src/lookups/pgsql.c | 10 ++-------- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index da4b7ec84..5254fb8a2 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -7537,13 +7537,12 @@ a query is successfully processed. The result of a query may be that no data is found, but that is still a successful query. In other words, the list of servers provides a backup facility, not a list of different places to look. +.new The &%quote_mysql%&, &%quote_pgsql%&, and &%quote_oracle%& expansion operators convert newline, tab, carriage return, and backspace to \n, \t, \r, and \b respectively, and the characters single-quote, double-quote, and backslash -itself are escaped with backslashes. The &%quote_pgsql%& expansion operator, in -addition, escapes the percent and underscore characters. This cannot be done -for MySQL because these escapes are not recognized in contexts where these -characters are not special. +itself are escaped with backslashes. +.wen .section "Specifying the server in the query" "SECTspeserque" For MySQL and PostgreSQL lookups (but not currently for Oracle and InterBase), diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index beedb59f4..8780780c0 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -63,6 +63,9 @@ JH/10 Bug 840: fix log_defer_output option of pipe transport JH/11 Bug 830: use same host for all RCPTS of a message, even under hosts_randomize. This matters a lot when combined with mua_wrapper. +JH/12 Bug 1706: percent and underbar characters are no longer excaped by the + ${quote_pgsql:} operator. + Exim version 4.86 ----------------- diff --git a/src/src/lookups/pgsql.c b/src/src/lookups/pgsql.c index 4be3d98f1..01c5375bc 100644 --- a/src/src/lookups/pgsql.c +++ b/src/src/lookups/pgsql.c @@ -413,12 +413,6 @@ return lf_sqlperform(US"PostgreSQL", US"pgsql_servers", pgsql_servers, query, /* The characters that always need to be quoted (with backslash) are newline, tab, carriage return, backspace, backslash itself, and the quote characters. -Percent and underscore are only special in contexts where they can be wild -cards, and this isn't usually the case for data inserted from messages, since -that isn't likely to be treated as a pattern of any kind. However, pgsql seems -to allow escaping "on spec". If you use something like "where id="ab\%cd" it -does treat the string as "ab%cd". So we can safely quote percent and -underscore. [This is different to MySQL, where you can't do this.] The original code quoted single quotes as \' which is documented as valid in the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to @@ -448,7 +442,7 @@ uschar *quoted; if (opt != NULL) return NULL; /* No options recognized */ while ((c = *t++) != 0) - if (Ustrchr("\n\t\r\b\'\"\\%_", c) != NULL) count++; + if (Ustrchr("\n\t\r\b\'\"\\", c) != NULL) count++; if (count == 0) return s; t = quoted = store_get(Ustrlen(s) + count + 1); @@ -460,7 +454,7 @@ while ((c = *s++) != 0) *t++ = '\''; *t++ = '\''; } - else if (Ustrchr("\n\t\r\b\"\\%_", c) != NULL) + else if (Ustrchr("\n\t\r\b\"\\", c) != NULL) { *t++ = '\\'; switch(c) -- 2.30.2