8000 Reject, in pg_dumpall, names containing CR or LF. · s-monk/postgres@6bec1a6 · GitHub
[go: up one dir, main page]
Skip to content

Commit 6bec1a6

Browse files
nmischnmisch
committed
Reject, in pg_dumpall, names containing CR or LF.
These characters prematurely terminate Windows shell command processing, causing the shell to execute a prefix of the intended command. The chief alternative to rejecting these characters was to bypass the Windows shell with CreateProcess(), but the ability to use such names has little value. Back-patch to 9.1 (all supported versions). This change formally revokes support for these characters in database names and roles names. Don't document this; the error message is self-explanatory, and too few users would benefit. A future major release may forbid creation of databases and roles so named. For now, check only at known weak points in pg_dumpall. Future commits will, without notice, reject affected names from other frontend programs. Also extend the restriction to pg_dumpall --dbname=CONNSTR arguments and --file arguments. Unlike the effects on role name arguments and database names, this does not reflect a broad policy change. A migration to CreateProcess() could lift these two restrictions. Reviewed by Peter Eisentraut. Security: CVE-2016-5424
1 parent aed0387 commit 6bec1a6

File tree

1 file changed

+22
-0
lines changed

1 file changed

+22
-0
lines changed

src/bin/pg_dump/pg_dumpall.c

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2129,6 +2129,12 @@ doConnStrQuoting(PQExpBuffer buf, const char *str)
21292129
/*
21302130
* Append the given string to the shell command being built in the buffer,
21312131
* with suitable shell-style quoting.
2132+
*
2133+
* Forbid LF or CR characters, which have scant practical use beyond designing
2134+
* security breaches. The Windows command shell is unusable as a conduit for
2135+
* arguments containing LF or CR characters. A future major release should
2136+
* reject those characters in CREATE ROLE and CREATE DATABASE, because use
2137+
* there eventually leads to errors here.
21322138
*/
21332139
static void
21342140
doShellQuoting(PQExpBuffer buf, const char *str)
@@ -2139,6 +2145,14 @@ doShellQuoting(PQExpBuffer buf, const char *str)
21392145
appendPQExpBufferChar(buf, '\'');
21402146
for (p = str; *p; p++)
21412147
{
2148+
if (*p == '\n' || *p == '\r')
2149+
{
2150+
fprintf(stderr,
2151+
_("shell command argument contains a newline or carriage return: \"%s\"\n"),
2152+
str);
2153+
exit(EXIT_FAILURE);
2154+
}
2155+
21422156
if (*p == '\'')
21432157
appendPQExpBufferStr(buf, "'\"'\"'");
21442158
else
@@ -2150,6 +2164,14 @@ doShellQuoting(PQExpBuffer buf, const char *str)
21502164
appendPQExpBufferChar(buf, '"');
21512165
for (p = str; *p; p++)
21522166
{
2167+
if (*p == '\n' || *p == '\r')
2168+
{
2169+
fprintf(stderr,
2170+
_("shell command argument contains a newline or carriage return: \"%s\"\n"),
2171+
str);
2172+
exit(EXIT_FAILURE);
2173+
}
2174+
21532175
if (*p == '"')
21542176
appendPQExpBufferStr(buf, "\\\"");
21552177
else

0 commit comments

Comments
 (0)
0