Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0df2da9

Browse files
committed
Prevent access to external files/URLs via XML entity references.
xml_parse() would attempt to fetch external files or URLs as needed toresolve DTD and entity references in an XML value, thus allowingunprivileged database users to attempt to fetch data with the privilegesof the database server. While the external data wouldn't get returneddirectly to the user, portions of it could be exposed in error messagesif the data didn't parse as valid XML; and in any case the mere abilityto check existence of a file might be useful to an attacker.The ideal solution to this would still allow fetching of references thatare listed in the host system's XML catalogs, so that documents can bevalidated according to installed DTDs. However, doing that with theavailable libxml2 APIs appears complex and error-prone, so we're not goingto risk it in a security patch that necessarily hasn't gotten wide review.So this patch merely shuts off all access, causing any external fetch tosilently expand to an empty string. A future patch may improve this.In HEAD and 9.2, also suppress warnings about undefined entities, whichwould otherwise occur as a result of not loading referenced DTDs. Previousbranches don't show such warnings anyway, due to different error handlingarrangements.Credit to Noah Misch for first reporting the problem, and for much worktowards a solution, though this simplistic approach was not his preference.Also thanks to Daniel Veillard for consultation.Security:CVE-2012-3489
1 parentb5987c4 commit0df2da9

File tree

4 files changed

+68
-0
lines changed

4 files changed

+68
-0
lines changed

‎src/backend/utils/adt/xml.c

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@
4848
#ifdefUSE_LIBXML
4949
#include<libxml/chvalid.h>
5050
#include<libxml/parser.h>
51+
#include<libxml/parserInternals.h>
5152
#include<libxml/tree.h>
5253
#include<libxml/uri.h>
5354
#include<libxml/xmlerror.h>
@@ -86,6 +87,8 @@ intxmloption;
8687

8788
staticStringInfoxml_err_buf=NULL;
8889

90+
staticxmlParserInputPtrxmlPgEntityLoader(constchar*URL,constchar*ID,
91+
xmlParserCtxtPtrctxt);
8992
staticvoidxml_errorHandler(void*ctxt,constchar*msg,...);
9093
staticvoidxml_ereport_by_code(intlevel,intsqlcode,
9194
constchar*msg,interrcode);
@@ -886,6 +889,9 @@ pg_xml_init(void)
886889
/* Now that xml_err_buf exists, safe to call xml_errorHandler */
887890
xmlSetGenericErrorFunc(NULL,xml_errorHandler);
888891

892+
/* set up our entity loader, too */
893+
xmlSetExternalEntityLoader(xmlPgEntityLoader);
894+
889895
#ifdefUSE_LIBXMLCONTEXT
890896
/* Set up memory allocation our way, too */
891897
xml_memory_init();
@@ -910,6 +916,9 @@ pg_xml_init(void)
910916
* about, anyway.
911917
*/
912918
xmlSetGenericErrorFunc(NULL,xml_errorHandler);
919+
920+
/* set up our entity loader, too */
921+
xmlSetExternalEntityLoader(xmlPgEntityLoader);
913922
}
914923
}
915924

@@ -1323,6 +1332,25 @@ xml_pstrdup(const char *string)
13231332
#endif/* USE_LIBXMLCONTEXT */
13241333

13251334

1335+
/*
1336+
* xmlPgEntityLoader --- entity loader callback function
1337+
*
1338+
* Silently prevent any external entity URL from being loaded. We don't want
1339+
* to throw an error, so instead make the entity appear to expand to an empty
1340+
* string.
1341+
*
1342+
* We would prefer to allow loading entities that exist in the system's
1343+
* global XML catalog; but the available libxml2 APIs make that a complex
1344+
* and fragile task. For now, just shut down all external access.
1345+
*/
1346+
staticxmlParserInputPtr
1347+
xmlPgEntityLoader(constchar*URL,constchar*ID,
1348+
xmlParserCtxtPtrctxt)
1349+
{
1350+
returnxmlNewStringInputStream(ctxt, (constxmlChar*)"");
1351+
}
1352+
1353+
13261354
/*
13271355
* xml_ereport --- report an XML-related error
13281356
*

‎src/test/regress/expected/xml.out

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -686,3 +686,23 @@ SELECT xml_is_well_formed('abc');
686686
t
687687
(1 row)
688688

689+
-- External entity references should not leak filesystem information.
690+
SELECT XMLPARSE(DOCUMENT '<!DOCTYPE foo [<!ENTITY c SYSTEM "/etc/passwd">]><foo>&c;</foo>');
691+
xmlparse
692+
-----------------------------------------------------------------
693+
<!DOCTYPE foo [<!ENTITY c SYSTEM "/etc/passwd">]><foo>&c;</foo>
694+
(1 row)
695+
696+
SELECT XMLPARSE(DOCUMENT '<!DOCTYPE foo [<!ENTITY c SYSTEM "/etc/no.such.file">]><foo>&c;</foo>');
697+
xmlparse
698+
-----------------------------------------------------------------------
699+
<!DOCTYPE foo [<!ENTITY c SYSTEM "/etc/no.such.file">]><foo>&c;</foo>
700+
(1 row)
701+
702+
-- This might or might not load the requested DTD, but it mustn't throw error.
703+
SELECT XMLPARSE(DOCUMENT '<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"><chapter>&nbsp;</chapter>');
704+
xmlparse
705+
------------------------------------------------------------------------------------------------------------------------------------------------------
706+
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"><chapter>&nbsp;</chapter>
707+
(1 row)
708+

‎src/test/regress/expected/xml_1.out

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -632,3 +632,17 @@ SELECT xml_is_well_formed('abc');
632632
ERROR: unsupported XML feature
633633
DETAIL: This functionality requires the server to be built with libxml support.
634634
HINT: You need to rebuild PostgreSQL using --with-libxml.
635+
-- External entity references should not leak filesystem information.
636+
SELECT XMLPARSE(DOCUMENT '<!DOCTYPE foo [<!ENTITY c SYSTEM "/etc/passwd">]><foo>&c;</foo>');
637+
ERROR: unsupported XML feature
638+
DETAIL: This functionality requires the server to be built with libxml support.
639+
HINT: You need to rebuild PostgreSQL using --with-libxml.
640+
SELECT XMLPARSE(DOCUMENT '<!DOCTYPE foo [<!ENTITY c SYSTEM "/etc/no.such.file">]><foo>&c;</foo>');
641+
ERROR: unsupported XML feature
642+
DETAIL: This functionality requires the server to be built with libxml support.
643+
HINT: You need to rebuild PostgreSQL using --with-libxml.
644+
-- This might or might not load the requested DTD, but it mustn't throw error.
645+
SELECT XMLPARSE(DOCUMENT '<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"><chapter>&nbsp;</chapter>');
646+
ERROR: unsupported XML feature
647+
DETAIL: This functionality requires the server to be built with libxml support.
648+
HINT: You need to rebuild PostgreSQL using --with-libxml.

‎src/test/regress/sql/xml.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -211,3 +211,9 @@ SELECT xml_is_well_formed('<pg:foo xmlns:pg="http://postgresql.org/stuff">bar</p
211211

212212
SET xmloption TO CONTENT;
213213
SELECT xml_is_well_formed('abc');
214+
215+
-- External entity references should not leak filesystem information.
216+
SELECT XMLPARSE(DOCUMENT'<!DOCTYPE foo [<!ENTITY c SYSTEM "/etc/passwd">]><foo>&c;</foo>');
217+
SELECT XMLPARSE(DOCUMENT'<!DOCTYPE foo [<!ENTITY c SYSTEM "/etc/no.such.file">]><foo>&c;</foo>');
218+
-- This might or might not load the requested DTD, but it mustn't throw error.
219+
SELECT XMLPARSE(DOCUMENT'<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"><chapter>&nbsp;</chapter>');

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp