diff options
| author | Noah Misch <noah@leadboat.com> | 2016-08-08 10:07:46 -0400 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2016-08-08 10:07:46 -0400 |
| commit | 142c24c23447f212e642a0ffac9af878b93f490d (patch) | |
| tree | 8d2e15cd7fef12ee5bbd78f455b9b32b719a7b40 /src | |
| parent | c400717172d77e5b07e51e04c5e5e13da181572e (diff) | |
| download | postgresql-142c24c23447f212e642a0ffac9af878b93f490d.tar.gz postgresql-142c24c23447f212e642a0ffac9af878b93f490d.zip | |
Reject, in pg_dumpall, names containing CR or LF.
These characters prematurely terminate Windows shell command processing,
causing the shell to execute a prefix of the intended command. The
chief alternative to rejecting these characters was to bypass the
Windows shell with CreateProcess(), but the ability to use such names
has little value. Back-patch to 9.1 (all supported versions).
This change formally revokes support for these characters in database
names and roles names. Don't document this; the error message is
self-explanatory, and too few users would benefit. A future major
release may forbid creation of databases and roles so named. For now,
check only at known weak points in pg_dumpall. Future commits will,
without notice, reject affected names from other frontend programs.
Also extend the restriction to pg_dumpall --dbname=CONNSTR arguments and
--file arguments. Unlike the effects on role name arguments and
database names, this does not reflect a broad policy change. A
migration to CreateProcess() could lift these two restrictions.
Reviewed by Peter Eisentraut.
Security: CVE-2016-5424
Diffstat (limited to 'src')
| -rw-r--r-- | src/bin/pg_dump/pg_dumpall.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/src/bin/pg_dump/pg_dumpall.c b/src/bin/pg_dump/pg_dumpall.c index ae49d354783..c24932bc593 100644 --- a/src/bin/pg_dump/pg_dumpall.c +++ b/src/bin/pg_dump/pg_dumpall.c @@ -2218,6 +2218,12 @@ doConnStrQuoting(PQExpBuffer buf, const char *str) /* * Append the given string to the shell command being built in the buffer, * with suitable shell-style quoting. + * + * Forbid LF or CR characters, which have scant practical use beyond designing + * security breaches. The Windows command shell is unusable as a conduit for + * arguments containing LF or CR characters. A future major release should + * reject those characters in CREATE ROLE and CREATE DATABASE, because use + * there eventually leads to errors here. */ static void doShellQuoting(PQExpBuffer buf, const char *str) @@ -2228,6 +2234,14 @@ doShellQuoting(PQExpBuffer buf, const char *str) appendPQExpBufferChar(buf, '\''); for (p = str; *p; p++) { + if (*p == '\n' || *p == '\r') + { + fprintf(stderr, + _("shell command argument contains a newline or carriage return: \"%s\"\n"), + str); + exit(EXIT_FAILURE); + } + if (*p == '\'') appendPQExpBufferStr(buf, "'\"'\"'"); else @@ -2239,6 +2253,14 @@ doShellQuoting(PQExpBuffer buf, const char *str) appendPQExpBufferChar(buf, '"'); for (p = str; *p; p++) { + if (*p == '\n' || *p == '\r') + { + fprintf(stderr, + _("shell command argument contains a newline or carriage return: \"%s\"\n"), + str); + exit(EXIT_FAILURE); + } + if (*p == '"') appendPQExpBufferStr(buf, "\\\""); else |