Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit02f013e

Browse files
committed
Convert newlines to spaces in names written in pg_dump comments.
pg_dump was incautious about sanitizing object names that are emittedwithin SQL comments in its output script. A name containing a newlinewould at least render the script syntactically incorrect. Maliciouslycrafted object names could present a SQL injection risk when the scriptis reloaded.Reported by Heikki Linnakangas, patch by Robert HaasSecurity:CVE-2012-0868
1 parent850d341 commit02f013e

File tree

1 file changed

+56
-4
lines changed

1 file changed

+56
-4
lines changed

‎src/bin/pg_dump/pg_backup_archiver.c‎

Lines changed: 56 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,7 @@ static ArchiveHandle *_allocAH(const char *FileSpec, const ArchiveFormat fmt,
8989
staticvoid_getObjectDescription(PQExpBufferbuf,TocEntry*te,
9090
ArchiveHandle*AH);
9191
staticvoid_printTocEntry(ArchiveHandle*AH,TocEntry*te,RestoreOptions*ropt,boolisData,boolacl_pass);
92+
staticchar*replace_line_endings(constchar*str);
9293

9394

9495
staticvoid_doSetFixedOutputState(ArchiveHandle*AH);
@@ -2876,6 +2877,9 @@ _printTocEntry(ArchiveHandle *AH, TocEntry *te, RestoreOptions *ropt, bool isDat
28762877
if (!AH->noTocComments)
28772878
{
28782879
constchar*pfx;
2880+
char*sanitized_name;
2881+
char*sanitized_schema;
2882+
char*sanitized_owner;
28792883

28802884
if (isData)
28812885
pfx="Data for ";
@@ -2897,12 +2901,39 @@ _printTocEntry(ArchiveHandle *AH, TocEntry *te, RestoreOptions *ropt, bool isDat
28972901
ahprintf(AH,"\n");
28982902
}
28992903
}
2904+
2905+
/*
2906+
* Zap any line endings embedded in user-supplied fields, to prevent
2907+
* corruption of the dump (which could, in the worst case, present an
2908+
* SQL injection vulnerability if someone were to incautiously load a
2909+
* dump containing objects with maliciously crafted names).
2910+
*/
2911+
sanitized_name=replace_line_endings(te->tag);
2912+
if (te->namespace)
2913+
sanitized_schema=replace_line_endings(te->namespace);
2914+
else
2915+
sanitized_schema=strdup("-");
2916+
if (!ropt->noOwner)
2917+
sanitized_owner=replace_line_endings(te->owner);
2918+
else
2919+
sanitized_owner=strdup("-");
2920+
29002921
ahprintf(AH,"-- %sName: %s; Type: %s; Schema: %s; Owner: %s",
2901-
pfx,te->tag,te->desc,
2902-
te->namespace ?te->namespace :"-",
2903-
ropt->noOwner ?"-" :te->owner);
2922+
pfx,sanitized_name,te->desc,sanitized_schema,
2923+
sanitized_owner);
2924+
2925+
free(sanitized_name);
2926+
free(sanitized_schema);
2927+
free(sanitized_owner);
2928+
29042929
if (te->tablespace&& !ropt->noTablespace)
2905-
ahprintf(AH,"; Tablespace: %s",te->tablespace);
2930+
{
2931+
char*sanitized_tablespace;
2932+
2933+
sanitized_tablespace=replace_line_endings(te->tablespace);
2934+
ahprintf(AH,"; Tablespace: %s",sanitized_tablespace);
2935+
free(sanitized_tablespace);
2936+
}
29062937
ahprintf(AH,"\n");
29072938

29082939
if (AH->PrintExtraTocPtr!=NULL)
@@ -2995,6 +3026,27 @@ _printTocEntry(ArchiveHandle *AH, TocEntry *te, RestoreOptions *ropt, bool isDat
29953026
}
29963027
}
29973028

3029+
/*
3030+
* Sanitize a string to be included in an SQL comment, by replacing any
3031+
* newlines with spaces.
3032+
*/
3033+
staticchar*
3034+
replace_line_endings(constchar*str)
3035+
{
3036+
char*result;
3037+
char*s;
3038+
3039+
result=strdup(str);
3040+
3041+
for (s=result;*s!='\0';s++)
3042+
{
3043+
if (*s=='\n'||*s=='\r')
3044+
*s=' ';
3045+
}
3046+
3047+
returnresult;
3048+
}
3049+
29983050
void
29993051
WriteHead(ArchiveHandle*AH)
30003052
{

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp