[Pdns-dev] Incorrect escaping of SQLite queries
Andy Smith
andy at strugglers.net
Thu Aug 12 10:56:18 CEST 2010
Hello,
A few weeks ago one of my users, for whom I provide slave DNS
servers, reported that my DNS servers were serving up some incorrect
records.
The tale of that was described by me in this email to pdns-users:
http://mailman.powerdns.com/pipermail/pdns-users/2010-July/006849.html
It turns out that the escaping code for SQLite in powerdns is wrong.
SQLite doesn't treat backslashes as special, so it doesn't need to
escape them, and it also doesn't escape apostrophe (') with a
backslash, but with another apostrophe (''):
http://www.sqlite.org/lang_expr.html "Literal Values"
I don't really know C++ and I'm not familiar with powerdns's code,
but I looked a bit deeper and it seems that the SQLite backend just
uses a generic SQL escaping function.
I reported the bug against the debian package:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590285
and made this trivial patch which seems to have resolved the problem
for me:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=fix-sqlite-escaping.patch;att=1;bug=590285
Cheers,
Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20100812/71a142ae/attachment.pgp>
More information about the Pdns-dev
mailing list