Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit7ad8e79

Browse files
Restrict psql meta-commands in plain-text dumps.
A malicious server could inject psql meta-commands into plain-textdump output (i.e., scripts created with pg_dump --format=plain,pg_dumpall, or pg_restore --file) that are run at restore time onthe machine running psql. To fix, introduce a new "restricted"mode in psql that blocks all meta-commands (except for \unrestrictto exit the mode), and teach pg_dump, pg_dumpall, and pg_restore touse this mode in plain-text dumps.While at it, encourage users to only restore dumps generated fromtrusted servers or to inspect it beforehand, since restoring causesthe destination to execute arbitrary code of the source superusers'choice. However, the client running the dump and restore needn'ttrust the source or destination superusers.Reported-by: Martin RakhmanovReported-by: Matthieu Denais <litezeraw@gmail.com>Reported-by: RyotaK <ryotak.mail@gmail.com>Suggested-by: Tom Lane <tgl@sss.pgh.pa.us>Reviewed-by: Noah Misch <noah@leadboat.com>Reviewed-by: Michael Paquier <michael@paquier.xyz>Reviewed-by: Peter Eisentraut <peter@eisentraut.org>Security:CVE-2025-8714Backpatch-through: 13
1 parent850caae commit7ad8e79

File tree

21 files changed

+427
-10
lines changed

21 files changed

+427
-10
lines changed

‎doc/src/sgml/ref/pg_dump.sgml‎

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,18 @@ PostgreSQL documentation
9292
light of the limitations listed below.
9393
</para>
9494

95+
<warning>
96+
<para>
97+
Restoring a dump causes the destination to execute arbitrary code of the
98+
source superusers' choice. Partial dumps and partial restores do not limit
99+
that. If the source superusers are not trusted, the dumped SQL statements
100+
must be inspected before restoring. Non-plain-text dumps can be inspected
101+
by using <application>pg_restore</application>'s <option>--file</option>
102+
option. Note that the client running the dump and restore need not trust
103+
the source or destination superusers.
104+
</para>
105+
</warning>
106+
95107
</refsect1>
96108

97109
<refsect1 id="pg-dump-options">
@@ -1078,6 +1090,29 @@ PostgreSQL documentation
10781090
</listitem>
10791091
</varlistentry>
10801092

1093+
<varlistentry>
1094+
<term><option>--restrict-key=<replaceable class="parameter">restrict_key</replaceable></option></term>
1095+
<listitem>
1096+
<para>
1097+
Use the provided string as the <application>psql</application>
1098+
<command>\restrict</command> key in the dump output. This can only be
1099+
specified for plain-text dumps, i.e., when <option>--format</option> is
1100+
set to <literal>plain</literal> or the <option>--format</option> option
1101+
is omitted. If no restrict key is specified,
1102+
<application>pg_dump</application> will generate a random one as
1103+
needed. Keys may contain only alphanumeric characters.
1104+
</para>
1105+
<para>
1106+
This option is primarily intended for testing purposes and other
1107+
scenarios that require repeatable output (e.g., comparing dump files).
1108+
It is not recommended for general use, as a malicious server with
1109+
advance knowledge of the key may be able to inject arbitrary code that
1110+
will be executed on the machine that runs
1111+
<application>psql</application> with the dump output.
1112+
</para>
1113+
</listitem>
1114+
</varlistentry>
1115+
10811116
<varlistentry>
10821117
<term><option>--rows-per-insert=<replaceable class="parameter">nrows</replaceable></option></term>
10831118
<listitem>

‎doc/src/sgml/ref/pg_dumpall.sgml‎

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,16 @@ PostgreSQL documentation
6666
linkend="libpq-pgpass"/> for more information.
6767
</para>
6868

69+
<warning>
70+
<para>
71+
Restoring a dump causes the destination to execute arbitrary code of the
72+
source superusers' choice. Partial dumps and partial restores do not limit
73+
that. If the source superusers are not trusted, the dumped SQL statements
74+
must be inspected before restoring. Note that the client running the dump
75+
and restore need not trust the source or destination superusers.
76+
</para>
77+
</warning>
78+
6979
</refsect1>
7080

7181
<refsect1>
@@ -524,6 +534,26 @@ PostgreSQL documentation
524534
</listitem>
525535
</varlistentry>
526536

537+
<varlistentry>
538+
<term><option>--restrict-key=<replaceable class="parameter">restrict_key</replaceable></option></term>
539+
<listitem>
540+
<para>
541+
Use the provided string as the <application>psql</application>
542+
<command>\restrict</command> key in the dump output. If no restrict
543+
key is specified, <application>pg_dumpall</application> will generate a
544+
random one as needed. Keys may contain only alphanumeric characters.
545+
</para>
546+
<para>
547+
This option is primarily intended for testing purposes and other
548+
scenarios that require repeatable output (e.g., comparing dump files).
549+
It is not recommended for general use, as a malicious server with
550+
advance knowledge of the key may be able to inject arbitrary code that
551+
will be executed on the machine that runs
552+
<application>psql</application> with the dump output.
553+
</para>
554+
</listitem>
555+
</varlistentry>
556+
527557
<varlistentry>
528558
<term><option>--rows-per-insert=<replaceable class="parameter">nrows</replaceable></option></term>
529559
<listitem>

‎doc/src/sgml/ref/pg_restore.sgml‎

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,18 @@ PostgreSQL documentation
6868
<application>pg_restore</application> will not be able to load the data
6969
using <command>COPY</command> statements.
7070
</para>
71+
72+
<warning>
73+
<para>
74+
Restoring a dump causes the destination to execute arbitrary code of the
75+
source superusers' choice. Partial dumps and partial restores do not limit
76+
that. If the source superusers are not trusted, the dumped SQL statements
77+
must be inspected before restoring. Non-plain-text dumps can be inspected
78+
by using <application>pg_restore</application>'s <option>--file</option>
79+
option. Note that the client running the dump and restore need not trust
80+
the source or destination superusers.
81+
</para>
82+
</warning>
7183
</refsect1>
7284

7385
<refsect1 id="app-pgrestore-options">
@@ -675,6 +687,28 @@ PostgreSQL documentation
675687
</listitem>
676688
</varlistentry>
677689

690+
<varlistentry>
691+
<term><option>--restrict-key=<replaceable class="parameter">restrict_key</replaceable></option></term>
692+
<listitem>
693+
<para>
694+
Use the provided string as the <application>psql</application>
695+
<command>\restrict</command> key in the dump output. This can only be
696+
specified for SQL script output, i.e., when the <option>--file</option>
697+
option is used. If no restrict key is specified,
698+
<application>pg_restore</application> will generate a random one as
699+
needed. Keys may contain only alphanumeric characters.
700+
</para>
701+
<para>
702+
This option is primarily intended for testing purposes and other
703+
scenarios that require repeatable output (e.g., comparing dump files).
704+
It is not recommended for general use, as a malicious server with
705+
advance knowledge of the key may be able to inject arbitrary code that
706+
will be executed on the machine that runs
707+
<application>psql</application> with the dump output.
708+
</para>
709+
</listitem>
710+
</varlistentry>
711+
678712
<varlistentry>
679713
<term><option>--section=<replaceable class="parameter">sectionname</replaceable></option></term>
680714
<listitem>

‎doc/src/sgml/ref/pgupgrade.sgml‎

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,14 @@ PostgreSQL documentation
7070
pg_upgrade supports upgrades from 9.2.X and later to the current
7171
major release of <productname>PostgreSQL</productname>, including snapshot and beta releases.
7272
</para>
73+
74+
<warning>
75+
<para>
76+
Upgrading a cluster causes the destination to execute arbitrary code of the
77+
source superusers' choice. Ensure that the source superusers are trusted
78+
before upgrading.
79+
</para>
80+
</warning>
7381
</refsect1>
7482

7583
<refsect1>

‎doc/src/sgml/ref/psql-ref.sgml‎

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3340,6 +3340,24 @@ lo_import 152801
33403340
</varlistentry>
33413341

33423342

3343+
<varlistentry id="app-psql-meta-command-restrict">
3344+
<term><literal>\restrict <replaceable class="parameter">restrict_key</replaceable></literal></term>
3345+
<listitem>
3346+
<para>
3347+
Enter "restricted" mode with the provided key. In this mode, the only
3348+
allowed meta-command is <command>\unrestrict</command>, to exit
3349+
restricted mode. The key may contain only alphanumeric characters.
3350+
</para>
3351+
<para>
3352+
This command is primarily intended for use in plain-text dumps
3353+
generated by <application>pg_dump</application>,
3354+
<application>pg_dumpall</application>, and
3355+
<application>pg_restore</application>, but it may be useful elsewhere.
3356+
</para>
3357+
</listitem>
3358+
</varlistentry>
3359+
3360+
33433361
<varlistentry id="app-psql-meta-command-s">
33443362
<term><literal>\s [ <replaceable class="parameter">filename</replaceable> ]</literal></term>
33453363
<listitem>
@@ -3514,6 +3532,24 @@ testdb=&gt; <userinput>\setenv LESS -imx4F</userinput>
35143532
</varlistentry>
35153533

35163534

3535+
<varlistentry id="app-psql-meta-command-unrestrict">
3536+
<term><literal>\unrestrict <replaceable class="parameter">restrict_key</replaceable></literal></term>
3537+
<listitem>
3538+
<para>
3539+
Exit "restricted" mode (i.e., where all other meta-commands are
3540+
blocked), provided the specified key matches the one given to
3541+
<command>\restrict</command> when restricted mode was entered.
3542+
</para>
3543+
<para>
3544+
This command is primarily intended for use in plain-text dumps
3545+
generated by <application>pg_dump</application>,
3546+
<application>pg_dumpall</application>, and
3547+
<application>pg_restore</application>, but it may be useful elsewhere.
3548+
</para>
3549+
</listitem>
3550+
</varlistentry>
3551+
3552+
35173553
<varlistentry id="app-psql-meta-command-unset">
35183554
<term><literal>\unset <replaceable class="parameter">name</replaceable></literal></term>
35193555

‎src/bin/pg_dump/dumputils.c‎

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
#include"dumputils.h"
2020
#include"fe_utils/string_utils.h"
2121

22+
staticconstcharrestrict_chars[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
2223

2324
staticboolparseAclItem(constchar*item,constchar*type,
2425
constchar*name,constchar*subname,intremoteVersion,
@@ -919,3 +920,40 @@ makeAlterConfigCommand(PGconn *conn, const char *configitem,
919920

920921
pg_free(mine);
921922
}
923+
924+
/*
925+
* Generates a valid restrict key (i.e., an alphanumeric string) for use with
926+
* psql's \restrict and \unrestrict meta-commands. For safety, the value is
927+
* chosen at random.
928+
*/
929+
char*
930+
generate_restrict_key(void)
931+
{
932+
uint8buf[64];
933+
char*ret=palloc(sizeof(buf));
934+
935+
if (!pg_strong_random(buf,sizeof(buf)))
936+
returnNULL;
937+
938+
for (inti=0;i<sizeof(buf)-1;i++)
939+
{
940+
uint8idx=buf[i] %strlen(restrict_chars);
941+
942+
ret[i]=restrict_chars[idx];
943+
}
944+
ret[sizeof(buf)-1]='\0';
945+
946+
returnret;
947+
}
948+
949+
/*
950+
* Checks that a given restrict key (intended for use with psql's \restrict and
951+
* \unrestrict meta-commands) contains only alphanumeric characters.
952+
*/
953+
bool
954+
valid_restrict_key(constchar*restrict_key)
955+
{
956+
returnrestrict_key!=NULL&&
957+
restrict_key[0]!='\0'&&
958+
strspn(restrict_key,restrict_chars)==strlen(restrict_key);
959+
}

‎src/bin/pg_dump/dumputils.h‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,4 +64,7 @@ extern void makeAlterConfigCommand(PGconn *conn, const char *configitem,
6464
constchar*type2,constchar*name2,
6565
PQExpBufferbuf);
6666

67+
externchar*generate_restrict_key(void);
68+
externboolvalid_restrict_key(constchar*restrict_key);
69+
6770
#endif/* DUMPUTILS_H */

‎src/bin/pg_dump/pg_backup.h‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -154,6 +154,8 @@ typedef struct _restoreOptions
154154
intenable_row_security;
155155
intsequence_data;/* dump sequence data even in schema-only mode */
156156
intbinary_upgrade;
157+
158+
char*restrict_key;
157159
}RestoreOptions;
158160

159161
typedefstruct_dumpOptions
@@ -200,6 +202,8 @@ typedef struct _dumpOptions
200202

201203
intsequence_data;/* dump sequence data even in schema-only mode */
202204
intdo_nothing;
205+
206+
char*restrict_key;
203207
}DumpOptions;
204208

205209
/*

‎src/bin/pg_dump/pg_backup_archiver.c‎

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -204,6 +204,7 @@ dumpOptionsFromRestoreOptions(RestoreOptions *ropt)
204204
dopt->include_everything=ropt->include_everything;
205205
dopt->enable_row_security=ropt->enable_row_security;
206206
dopt->sequence_data=ropt->sequence_data;
207+
dopt->restrict_key=ropt->restrict_key ?pg_strdup(ropt->restrict_key) :NULL;
207208

208209
returndopt;
209210
}
@@ -466,6 +467,17 @@ RestoreArchive(Archive *AHX)
466467

467468
ahprintf(AH,"--\n-- PostgreSQL database dump\n--\n\n");
468469

470+
/*
471+
* If generating plain-text output, enter restricted mode to block any
472+
* unexpected psql meta-commands. A malicious source might try to inject
473+
* a variety of things via bogus responses to queries. While we cannot
474+
* prevent such sources from affecting the destination at restore time, we
475+
* can block psql meta-commands so that the client machine that runs psql
476+
* with the dump output remains unaffected.
477+
*/
478+
if (ropt->restrict_key)
479+
ahprintf(AH,"\\restrict %s\n\n",ropt->restrict_key);
480+
469481
if (AH->archiveRemoteVersion)
470482
ahprintf(AH,"-- Dumped from database version %s\n",
471483
AH->archiveRemoteVersion);
@@ -741,6 +753,14 @@ RestoreArchive(Archive *AHX)
741753

742754
ahprintf(AH,"--\n-- PostgreSQL database dump complete\n--\n\n");
743755

756+
/*
757+
* If generating plain-text output, exit restricted mode at the very end
758+
* of the script. This is not pro forma; in particular, pg_dumpall
759+
* requires this when transitioning from one database to another.
760+
*/
761+
if (ropt->restrict_key)
762+
ahprintf(AH,"\\unrestrict %s\n\n",ropt->restrict_key);
763+
744764
/*
745765
* Clean up & we're done.
746766
*/
@@ -3228,11 +3248,21 @@ _reconnectToDB(ArchiveHandle *AH, const char *dbname)
32283248
else
32293249
{
32303250
PQExpBufferDataconnectbuf;
3251+
RestoreOptions*ropt=AH->public.ropt;
3252+
3253+
/*
3254+
* We must temporarily exit restricted mode for \connect, etc.
3255+
* Anything added between this line and the following \restrict must
3256+
* be careful to avoid any possible meta-command injection vectors.
3257+
*/
3258+
ahprintf(AH,"\\unrestrict %s\n",ropt->restrict_key);
32313259

32323260
initPQExpBuffer(&connectbuf);
32333261
appendPsqlMetaConnect(&connectbuf,dbname);
3234-
ahprintf(AH,"%s\n",connectbuf.data);
3262+
ahprintf(AH,"%s",connectbuf.data);
32353263
termPQExpBuffer(&connectbuf);
3264+
3265+
ahprintf(AH,"\\restrict %s\n\n",ropt->restrict_key);
32363266
}
32373267

32383268
/*

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp