Bump version

Fix vulnerability
2026-01-18 15:55:05 +00:00 · 2017-08-12 16:35:43 -05:00 · 2017-08-12 16:35:05 -05:00
3 changed files with 14 additions and 2 deletions
--- a/lib/result.js
+++ b/lib/result.js
@ -8,6 +8,7 @@
 */

 var types = require('pg-types')
+var escape = require('js-string-escape')

 // result object returned from query
 // in the 'end' event and also
@ -82,7 +83,7 @@ var inlineParser = function (fieldName, i) {
    // Addendum: However, we need to make sure to replace all
    // occurences of apostrophes, not just the first one.
    // See https://github.com/brianc/node-postgres/issues/934
-    fieldName.replace(/'/g, "\\'") +
+    escape(fieldName) +
    "'] = " +
    'rowData[' + i + '] == null ? null : parsers[' + i + '](rowData[' + i + ']);'
 }
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "pg",
-  "version": "7.0.2",
+  "version": "7.0.3",
  "description": "PostgreSQL client - pure javascript & libpq with the same API",
  "keywords": [
    "postgres",
@ -20,6 +20,7 @@
  "dependencies": {
    "buffer-writer": "1.0.1",
    "packet-reader": "0.3.1",
+    "js-string-escape": "1.0.1",
    "pg-connection-string": "0.1.3",
    "pg-pool": "2.*",
    "pg-types": "1.*",
--- a/test/integration/client/field-name-escape-tests.js
+++ b/test/integration/client/field-name-escape-tests.js
@ -0,0 +1,10 @@
+var pg = require('./test-helper').pg
+
+var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"'
+
+var client = new pg.Client()
+client.connect()
+client.query(sql, function (err, res) {
+  if (err) throw err
+  client.end()
+})
Author	SHA1	Message	Date
Brian M. Carlson	f7634072fa	Bump version	2017-08-12 16:35:43 -05:00
Brian M. Carlson	d268c97d7c	Fix vulnerability	2017-08-12 16:35:05 -05:00