#2547 PostgreSQL adapter: quote_string is not thread safe - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#2547 ✓resolved

PostgreSQL adapter: quote_string is not thread safe

Reported by Eugene Pimenov | April 23rd, 2009 @ 10:51 AM | in 2.x

PostgreSQL adapter calls PGconn.escape class method which is not thread safe. Should call PGconn#escape instance method which is thread safe. Simple as that.

The same goes with escape_bytea. There's no PQunescapeByteaConn, so I assume unescpae_bytea is thread safe.

The problem exists at least in 2.2.2+.

0001-PostgreSQL-adapter-should-call-thread-safe-quote_str.patch 1.9 KB

Comments and changes to this ticket

You flagged this item as spam.
Max Lapshin April 27th, 2009 @ 03:04 PM
- Assigned user set to “Tarmo Tänav”
Eugene, where is written, that PGconn.escape is unsafe?

Eugene Pimenov April 27th, 2009 @ 03:12 PM


>> puts $$
94100
>> PGconn.escape('test')
=> "test"
>> PGconn.new({}).escape('test')
=> "test"


 sudo dtrace -n 'pid94100::PQescapeString:entry { printf("it called me\n") } pid94100::PQescapeStringConn:entry { printf("it called me\n") }'
dtrace: description 'pid94100::PQescapeString:entry ' matched 2 probes
CPU     ID                    FUNCTION:NAME
  1  22323             PQescapeString:entry it called me

  0  22324         PQescapeStringConn:entry it called me

http://www.postgresql.org/docs/8...


PQescapeString can be used safely in single-threaded client programs that work with only one PostgreSQL connection at a time (in this case it can find out what it needs to know "behind the scenes"). In other contexts it is a security hazard and should be avoided in favor of PQescapeStringConn.

You flagged this item as spam.
Max Lapshin April 27th, 2009 @ 03:33 PM
- Tag changed from “activecord, database, escape, escaping, patch, postgres, postgresql” to “activecord, bug, database, escape, escaping, patch, postgres, postgresql”
+1 This patch works for me, all test passed and it seems to be rather good.
Michael Koziarski June 9th, 2009 @ 09:13 AM
- State changed from “new” to “resolved”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Attachments

0001-PostgreSQL-adapter-sho... 1.9 KB

Rails Ruby on Rails → 2.x

PostgreSQL adapter: quote_string is not thread safe

Comments and changes to this ticket

Max Lapshin April 27th, 2009 @ 03:04 PM

Eugene Pimenov April 27th, 2009 @ 03:12 PM

Max Lapshin April 27th, 2009 @ 03:33 PM

Michael Koziarski June 9th, 2009 @ 09:13 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Pages

Rails Ruby on Rails → 2.x

Keyword searching

PostgreSQL adapter: quote_string is not thread safe

Comments and changes to this ticket

Max Lapshin April 27th, 2009 @ 03:04 PM

Eugene Pimenov April 27th, 2009 @ 03:12 PM

Max Lapshin April 27th, 2009 @ 03:33 PM

Michael Koziarski June 9th, 2009 @ 09:13 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Pages