| > The postgres escape function actually worked fine before this "CVE". It was documented as escaping something for use as part of a postgres query. > BeyondTrust used it as input to the 'psql' tool, which is an interactive tool you're not really supposed to programmatically invoke, and the documentation for the postgres escape function didn't say it escaped input for psql. But this is the documentation for psql: > psql is a terminal-based front-end to PostgreSQL. It enables you to type in queries interactively, issue them to PostgreSQL, and see the query results. Alternatively, input can be from a file or from command line arguments. In addition, psql provides a number of meta-commands and various shell-like features to facilitate writing scripts and automating a wide variety of tasks. We can learn two things from this: 1. You are definitely supposed to be able to invoke psql programmatically, or else the suggestion to "write scripts and automate a wide variety of tasks" would make no sense. 2. The input to psql is documented as a "query", and it seems fine to assume that a "query" for psql is the same thing as a "postgres query". |