3 files changed, 71 insertions, 4 deletions

diff --git a/security/pam-pgsql/Makefile b/security/pam-pgsql/Makefile
index 837c2add1a3c..885b70ca0cec 100644
--- a/security/pam-pgsql/Makefile
+++ b/security/pam-pgsql/Makefile
@@ -16,8 +16,6 @@ MAINTAINER=	mi@aldan.algebra.com
 
 LIB_DEPENDS=	pq:${PORTSDIR}/databases/postgresql7
 
-FORBIDDEN=	can be broken by carefully crafted password string
-
 # When the family of Debian mirrors is added to bsd.port.mk,
 # this will suddenly start making sense:
 MASTER_SITE_DEBIAN?= http://ftp.debian.org/debian/%SUBDIR%/
@@ -29,7 +27,7 @@ MASTER_SITES_DEBIAN+=	http://ftp.au.debian.org/pub/debian/%SUBDIR%/ \
 	ftp://ftp.bora.net/pub/linux/debian/%SUBDIR%/
 
 MAKEFILE=	${FILESDIR}/Makefile.bsd
-MAKE_ARGS+=	-j 2
+MAKE_ARGS+=	-j 2 FILESDIR=${FILESDIR}
 
 post-install:
 	${CAT} ${PKGMESSAGE}
diff --git a/security/pam-pgsql/files/Makefile.bsd b/security/pam-pgsql/files/Makefile.bsd
index 90e58ccb38f7..cef112fc21d8 100644
--- a/security/pam-pgsql/files/Makefile.bsd
+++ b/security/pam-pgsql/files/Makefile.bsd
@@ -1,6 +1,9 @@
 # This makefile is inspired by those in /usr/src/lib/libpam/modules :-)
 
-SRCS=	pam_pgsql.c pam_get_pass.c pam_std_option.c pam_get_service.c
+.PATH:	${FILESDIR}
+
+SRCS=	pam_pgsql.c pam_get_pass.c pam_std_option.c pam_get_service.c \
+	pqescape.c
 LIB=	pam_pgsql
 SHLIB_NAME=${LIB}.so
 
diff --git a/security/pam-pgsql/files/pqescape.c b/security/pam-pgsql/files/pqescape.c
new file mode 100644
index 000000000000..c13304e0a204
--- /dev/null
+++ b/security/pam-pgsql/files/pqescape.c
@@ -0,0 +1,66 @@
+/*
+ * PQescapeString implementation is from
+ * <URL:http://cert.uni-stuttgart.de/doc/postgresql/escape/>
+ * It will be available in a later release of PostGreSQL.
+ */
+#if !defined(HAVE_PQESCAPESTRING)
+#include <sys/types.h>
+
+/* Quoting strings before inclusion in queries. */
+size_t PQescapeString (char *to, const char *from, size_t length);
+
+/* ---------------
+ * Escaping arbitrary strings to get valid SQL strings/identifiers.
+ *
+ * Replaces "\\" with "\\\\", "\0" with "\\0", and "'" with "''".
+ * length is the length of the buffer pointed to by
+ * from.  The buffer at to must be at least 2*length + 1 characters
+ * long.  A terminating NUL character is written.
+ * ---------------
+ */
+
+size_t
+PQescapeString (char *to, const char *from, size_t length)
+{
+	const char *source = from;
+	char *target = to;
+	unsigned int remaining = length;
+
+	while (remaining > 0) {
+		switch (*source) {
+		case '\0':
+			*target = '\\';
+			target++;
+			*target = '0';
+			/* target and remaining are updated below. */
+			break;
+			
+		case '\\':
+			*target = '\\';
+			target++;
+			*target = '\\';
+			/* target and remaining are updated below. */
+			break;
+
+		case '\'':
+			*target = '\'';
+			target++;
+			*target = '\'';
+			/* target and remaining are updated below. */
+			break;
+
+		default:
+			*target = *source;
+			/* target and remaining are updated below. */
+		}
+		source++;
+		target++;
+		remaining--;
+	}
+
+	/* Write the terminating NUL character. */
+	*target = '\0';
+	
+	return target - to;
+}
+#endif /* !defined(HAVE_PQESCAPESTRING) */