ext/pgsql: escape table name, delimiter, null marker in pg_copy_from/to

The COPY query embedded the table_name argument with a raw "%s" and the
delimiter and null marker inside literal E'..' wrappers, so caller-supplied
strings could break out and run side queries. Route bare table names
through build_tablename (the same helper pg_insert/update/select/delete
have used since bug #62978), and pass the delimiter and null marker
through PQescapeLiteral. pg_copy_to keeps the parenthesised (query)
source form documented in bug 73498.

Closes phpGH-21985

Author: iliaal

ext/pgsql/pgsql.c

@@ -273,6 +273,8 @@ static void pgsql_lob_free_obj(zend_object *obj)
 
 /* Compatibility definitions */
 
+static inline zend_result build_tablename(smart_str *querystr, PGconn *pg_link, const zend_string *table);
+
 static zend_string *_php_pgsql_trim_message(const char *message)
 {
 	size_t i = strlen(message);
@@ -3348,8 +3350,7 @@ PHP_FUNCTION(pg_copy_to)
 	zend_string *table_name;
 	zend_string *pg_delimiter = NULL;
 	char *pg_null_as = "\\\\N";
-	size_t pg_null_as_len = 0;
-	char *query;
+	size_t pg_null_as_len = sizeof("\\\\N") - 1;
 	PGconn *pgsql;
 	PGresult *pgsql_result;
 	ExecStatusType status;
@@ -3373,14 +3374,34 @@ PHP_FUNCTION(pg_copy_to)
 		zend_argument_value_error(3, "must be one character");
 		RETURN_THROWS();
 	}
+	smart_str querystr = {0};
+	smart_str_appends(&querystr, "COPY ");
+	if (ZSTR_LEN(table_name) > 0 && ZSTR_VAL(table_name)[0] == '(') {
+		smart_str_append(&querystr, table_name);
+	} else if (build_tablename(&querystr, pgsql, table_name) == FAILURE) {
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
 
-	spprintf(&query, 0, "COPY %s TO STDOUT DELIMITER E'%c' NULL AS E'%s'", ZSTR_VAL(table_name), *ZSTR_VAL(pg_delimiter), pg_null_as);
+	char *escaped_delimiter = PQescapeLiteral(pgsql, ZSTR_VAL(pg_delimiter), 1);
+	char *escaped_null_as = PQescapeLiteral(pgsql, pg_null_as, pg_null_as_len);
+	if (!escaped_delimiter || !escaped_null_as) {
+		php_error_docref(NULL, E_WARNING, "Failed to escape COPY parameters");
+		if (escaped_delimiter) PQfreemem(escaped_delimiter);
+		if (escaped_null_as) PQfreemem(escaped_null_as);
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
+	smart_str_append_printf(&querystr, " TO STDOUT DELIMITER %s NULL AS %s", escaped_delimiter, escaped_null_as);
+	smart_str_0(&querystr);
+	PQfreemem(escaped_delimiter);
+	PQfreemem(escaped_null_as);
 
 	while ((pgsql_result = PQgetResult(pgsql))) {
 		PQclear(pgsql_result);
 	}
-	pgsql_result = PQexec(pgsql, query);
-	efree(query);
+	pgsql_result = PQexec(pgsql, ZSTR_VAL(querystr.s));
+	smart_str_free(&querystr);
 
 	if (pgsql_result) {
 		status = PQresultStatus(pgsql_result);
@@ -3463,8 +3484,7 @@ PHP_FUNCTION(pg_copy_from)
 	zend_string *table_name;
 	zend_string *pg_delimiter = NULL;
 	char *pg_null_as = "\\\\N";
-	size_t pg_null_as_len;
-	char *query;
+	size_t pg_null_as_len = sizeof("\\\\N") - 1;
 	PGconn *pgsql;
 	PGresult *pgsql_result;
 	ExecStatusType status;
@@ -3488,14 +3508,33 @@ PHP_FUNCTION(pg_copy_from)
 		zend_argument_value_error(4, "must be one character");
 		RETURN_THROWS();
 	}
+	smart_str querystr = {0};
+	smart_str_appends(&querystr, "COPY ");
+	if (build_tablename(&querystr, pgsql, table_name) == FAILURE) {
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
+
+	char *escaped_delimiter = PQescapeLiteral(pgsql, ZSTR_VAL(pg_delimiter), 1);
+	char *escaped_null_as = PQescapeLiteral(pgsql, pg_null_as, pg_null_as_len);
+	if (!escaped_delimiter || !escaped_null_as) {
+		php_error_docref(NULL, E_WARNING, "Failed to escape COPY parameters");
+		if (escaped_delimiter) PQfreemem(escaped_delimiter);
+		if (escaped_null_as) PQfreemem(escaped_null_as);
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
+	smart_str_append_printf(&querystr, " FROM STDIN DELIMITER %s NULL AS %s", escaped_delimiter, escaped_null_as);
+	smart_str_0(&querystr);
+	PQfreemem(escaped_delimiter);
+	PQfreemem(escaped_null_as);
 
-	spprintf(&query, 0, "COPY %s FROM STDIN DELIMITER E'%c' NULL AS E'%s'", ZSTR_VAL(table_name), *ZSTR_VAL(pg_delimiter), pg_null_as);
 	while ((pgsql_result = PQgetResult(pgsql))) {
 		PQclear(pgsql_result);
 	}
-	pgsql_result = PQexec(pgsql, query);
+	pgsql_result = PQexec(pgsql, ZSTR_VAL(querystr.s));
 
-	efree(query);
+	smart_str_free(&querystr);
 
 	if (pgsql_result) {
 		status = PQresultStatus(pgsql_result);

ext/pgsql/tests/pg_copy_from_null_as_escape.phpt

@@ -0,0 +1,43 @@
+--TEST--
+pg_copy_from() escapes the null_as argument
+--EXTENSIONS--
+pgsql
+--SKIPIF--
+<?php include("inc/skipif.inc"); ?>
+--FILE--
+<?php
+
+include('inc/config.inc');
+
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_null_as_target');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_null_as_injected');
+pg_query($db, 'CREATE TABLE pg_copy_null_as_target (v text)');
+
+$evil = "X'; CREATE TABLE pg_copy_null_as_injected (v text); --";
+var_dump(pg_copy_from($db, 'pg_copy_null_as_target', ["row\n"], "\t", $evil));
+
+$r = pg_query($db, "SELECT 1 FROM pg_tables WHERE tablename = 'pg_copy_null_as_injected'");
+var_dump(pg_num_rows($r));
+
+$r = pg_query($db, 'SELECT v FROM pg_copy_null_as_target ORDER BY v');
+var_dump(pg_fetch_all($r));
+
+?>
+--CLEAN--
+<?php
+include('inc/config.inc');
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_null_as_target');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_null_as_injected');
+?>
+--EXPECT--
+bool(true)
+int(0)
+array(1) {
+  [0]=>
+  array(1) {
+    ["v"]=>
+    string(3) "row"
+  }
+}

ext/pgsql/tests/pg_copy_from_table_name_escape.phpt

@@ -0,0 +1,36 @@
+--TEST--
+pg_copy_from() escapes the table name argument
+--EXTENSIONS--
+pgsql
+--SKIPIF--
+<?php include("inc/skipif.inc"); ?>
+--FILE--
+<?php
+
+include('inc/config.inc');
+
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_from_target');
+pg_query($db, 'CREATE TABLE pg_copy_from_target (v text)');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_from_other');
+pg_query($db, 'CREATE TABLE pg_copy_from_other (v text)');
+
+$evil = "pg_copy_from_other FROM STDIN --";
+var_dump(pg_copy_from($db, $evil, ["redirected\n"]));
+
+$rows = pg_fetch_all(pg_query($db, 'SELECT v FROM pg_copy_from_other')) ?: [];
+var_dump($rows);
+
+?>
+--CLEAN--
+<?php
+include('inc/config.inc');
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_from_target');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_from_other');
+?>
+--EXPECTF--
+Warning: pg_copy_from(): %s in %s on line %d
+bool(false)
+array(0) {
+}

ext/pgsql/tests/pg_copy_to_table_name_escape.phpt

@@ -0,0 +1,34 @@
+--TEST--
+pg_copy_to() escapes the table name argument
+--EXTENSIONS--
+pgsql
+--SKIPIF--
+<?php include("inc/skipif.inc"); ?>
+--FILE--
+<?php
+
+include('inc/config.inc');
+
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_to_source');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_to_injected');
+pg_query($db, 'CREATE TABLE pg_copy_to_source (v text)');
+
+$evil = "pg_copy_to_source; CREATE TABLE pg_copy_to_injected (v text); --";
+var_dump(pg_copy_to($db, $evil));
+
+$r = pg_query($db, "SELECT 1 FROM pg_tables WHERE tablename = 'pg_copy_to_injected'");
+var_dump(pg_num_rows($r));
+
+?>
+--CLEAN--
+<?php
+include('inc/config.inc');
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_to_source');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_to_injected');
+?>
+--EXPECTF--
+Warning: pg_copy_to(): %s in %s on line %d
+bool(false)
+int(0)