On Thu, 25 May 2006 00:25:01 +0000 (UTC) "Peter Bortas @ Pike developers forum" 10353@lyskom.lysator.liu.se wrote:
Normally we just conduct all security discussions without hiding anything. If you see that it might lead to problems for open installations out there send a private message to me or Martin Nilsson. We can probably make sure that there at least is a new source build available 1h or so after a fix is checked in if we decide a date and time in advance.
Well, I checked in a fix for 7.6 and 7.7 yesterday. The problem will affect anyone using the postgres module to connect to a database that is using a multi-byte character encoding, or utf8. It allows people to bypass the quoting of SQL characters like ', so SQL injection is possible even when people are using the pike module properly to try to prevent that.
Adam