Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commite76e252

Browse files
committed
Prevent access to external files/URLs via contrib/xml2's xslt_process().
libxslt offers the ability to read and write both files and URLs throughstylesheet commands, thus allowing unprivileged database users to both readand write data with the privileges of the database server. Disable thatthrough proper use of libxslt's security options.Also, remove xslt_process()'s ability to fetch documents and stylesheetsfrom external files/URLs. While this was a documented "feature", it waslong regarded as a terrible idea. The fix forCVE-2012-3489 broke thatcapability, and rather than expend effort on trying to fix it, we're justgoing to summarily remove it.While the ability to write as well as read makes this security holeconsiderably worse thanCVE-2012-3489, the problem is mitigated by the factthat xslt_process() is not available unless contrib/xml2 is installed,and the longstanding warnings about security risks from that should havediscouraged prudent DBAs from installing it in security-exposed databases.Reported and fixed by Peter Eisentraut.Security:CVE-2012-3488
1 parent0df2da9 commite76e252

File tree

5 files changed

+103
-29
lines changed

5 files changed

+103
-29
lines changed

‎contrib/xml2/expected/xml2.out

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,3 +207,18 @@ SELECT xslt_process('<employee><name>cim</name><age>30</age><pay>400</pay></empl
207207

208208
(1 row)
209209

210+
-- possible security exploit
211+
SELECT xslt_process('<xml><foo>Hello from XML</foo></xml>',
212+
$$<xsl:stylesheet version="1.0"
213+
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
214+
xmlns:sax="http://icl.com/saxon"
215+
extension-element-prefixes="sax">
216+
217+
<xsl:template match="//foo">
218+
<sax:output href="0wn3d.txt" method="text">
219+
<xsl:value-of select="'0wn3d via xml2 extension and libxslt'"/>
220+
<xsl:apply-templates/>
221+
</sax:output>
222+
</xsl:template>
223+
</xsl:stylesheet>$$);
224+
ERROR: failed to apply stylesheet

‎contrib/xml2/expected/xml2_1.out

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,3 +151,18 @@ SELECT xslt_process('<employee><name>cim</name><age>30</age><pay>400</pay></empl
151151
</xsl:template>
152152
</xsl:stylesheet>$$::text, 'n1="v1",n2="v2",n3="v3",n4="v4",n5="v5",n6="v6",n7="v7",n8="v8",n9="v9",n10="v10",n11="v11",n12="v12"'::text);
153153
ERROR: xslt_process() is not available without libxslt
154+
-- possible security exploit
155+
SELECT xslt_process('<xml><foo>Hello from XML</foo></xml>',
156+
$$<xsl:stylesheet version="1.0"
157+
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
158+
xmlns:sax="http://icl.com/saxon"
159+
extension-element-prefixes="sax">
160+
161+
<xsl:template match="//foo">
162+
<sax:output href="0wn3d.txt" method="text">
163+
<xsl:value-of select="'0wn3d via xml2 extension and libxslt'"/>
164+
<xsl:apply-templates/>
165+
</sax:output>
166+
</xsl:template>
167+
</xsl:stylesheet>$$);
168+
ERROR: xslt_process() is not available without libxslt

‎contrib/xml2/sql/xml2.sql

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,3 +122,18 @@ SELECT xslt_process('<employee><name>cim</name><age>30</age><pay>400</pay></empl
122122
</xsl:element>
123123
</xsl:template>
124124
</xsl:stylesheet>$$::text,'n1="v1",n2="v2",n3="v3",n4="v4",n5="v5",n6="v6",n7="v7",n8="v8",n9="v9",n10="v10",n11="v11",n12="v12"'::text);
125+
126+
-- possible security exploit
127+
SELECT xslt_process('<xml><foo>Hello from XML</foo></xml>',
128+
$$<xsl:stylesheet version="1.0"
129+
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
130+
xmlns:sax="http://icl.com/saxon"
131+
extension-element-prefixes="sax">
132+
133+
<xsl:template match="//foo">
134+
<sax:output href="0wn3d.txt" method="text">
135+
<xsl:value-ofselect="'0wn3d via xml2 extension and libxslt'"/>
136+
<xsl:apply-templates/>
137+
</sax:output>
138+
</xsl:template>
139+
</xsl:stylesheet>$$);

‎contrib/xml2/xslt_proc.c

Lines changed: 58 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626

2727
#include<libxslt/xslt.h>
2828
#include<libxslt/xsltInternals.h>
29+
#include<libxslt/security.h>
2930
#include<libxslt/transform.h>
3031
#include<libxslt/xsltutils.h>
3132
#endif/* USE_LIBXSLT */
@@ -60,7 +61,10 @@ xslt_process(PG_FUNCTION_ARGS)
6061
xsltStylesheetPtrstylesheet=NULL;
6162
xmlDocPtrdoctree;
6263
xmlDocPtrrestree;
63-
xmlDocPtrssdoc=NULL;
64+
xmlDocPtrssdoc;
65+
xsltSecurityPrefsPtrxslt_sec_prefs;
66+
boolxslt_sec_prefs_error;
67+
xsltTransformContextPtrxslt_ctxt;
6468
xmlChar*resstr;
6569
intresstat;
6670
intreslen;
@@ -80,34 +84,27 @@ xslt_process(PG_FUNCTION_ARGS)
8084
/* Setup parser */
8185
pgxml_parser_init();
8286

83-
/* Check to see if document is a file or a literal */
84-
85-
if (VARDATA(doct)[0]=='<')
86-
doctree=xmlParseMemory((char*)VARDATA(doct),VARSIZE(doct)-VARHDRSZ);
87-
else
88-
doctree=xmlParseFile(text_to_cstring(doct));
87+
/* Parse document */
88+
doctree=xmlParseMemory((char*)VARDATA(doct),
89+
VARSIZE(doct)-VARHDRSZ);
8990

9091
if (doctree==NULL)
9192
xml_ereport(ERROR,ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,
9293
"error parsing XML document");
9394

9495
/* Same for stylesheet */
95-
if (VARDATA(ssheet)[0]=='<')
96-
{
97-
ssdoc=xmlParseMemory((char*)VARDATA(ssheet),
98-
VARSIZE(ssheet)-VARHDRSZ);
99-
if (ssdoc==NULL)
100-
{
101-
xmlFreeDoc(doctree);
102-
xml_ereport(ERROR,ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,
103-
"error parsing stylesheet as XML document");
104-
}
96+
ssdoc=xmlParseMemory((char*)VARDATA(ssheet),
97+
VARSIZE(ssheet)-VARHDRSZ);
10598

106-
stylesheet=xsltParseStylesheetDoc(ssdoc);
99+
if (ssdoc==NULL)
100+
{
101+
xmlFreeDoc(doctree);
102+
xml_ereport(ERROR,ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,
103+
"error parsing stylesheet as XML document");
107104
}
108-
else
109-
stylesheet=xsltParseStylesheetFile((xmlChar*)text_to_cstring(ssheet));
110105

106+
/* After this call we need not free ssdoc separately */
107+
stylesheet=xsltParseStylesheetDoc(ssdoc);
111108

112109
if (stylesheet==NULL)
113110
{
@@ -117,12 +114,50 @@ xslt_process(PG_FUNCTION_ARGS)
117114
"failed to parse stylesheet");
118115
}
119116

120-
restree=xsltApplyStylesheet(stylesheet,doctree,params);
117+
xslt_ctxt=xsltNewTransformContext(stylesheet,doctree);
118+
119+
xslt_sec_prefs_error= false;
120+
if ((xslt_sec_prefs=xsltNewSecurityPrefs())==NULL)
121+
xslt_sec_prefs_error= true;
122+
123+
if (xsltSetSecurityPrefs(xslt_sec_prefs,XSLT_SECPREF_READ_FILE,
124+
xsltSecurityForbid)!=0)
125+
xslt_sec_prefs_error= true;
126+
if (xsltSetSecurityPrefs(xslt_sec_prefs,XSLT_SECPREF_WRITE_FILE,
127+
xsltSecurityForbid)!=0)
128+
xslt_sec_prefs_error= true;
129+
if (xsltSetSecurityPrefs(xslt_sec_prefs,XSLT_SECPREF_CREATE_DIRECTORY,
130+
xsltSecurityForbid)!=0)
131+
xslt_sec_prefs_error= true;
132+
if (xsltSetSecurityPrefs(xslt_sec_prefs,XSLT_SECPREF_READ_NETWORK,
133+
xsltSecurityForbid)!=0)
134+
xslt_sec_prefs_error= true;
135+
if (xsltSetSecurityPrefs(xslt_sec_prefs,XSLT_SECPREF_WRITE_NETWORK,
136+
xsltSecurityForbid)!=0)
137+
xslt_sec_prefs_error= true;
138+
if (xsltSetCtxtSecurityPrefs(xslt_sec_prefs,xslt_ctxt)!=0)
139+
xslt_sec_prefs_error= true;
140+
141+
if (xslt_sec_prefs_error)
142+
{
143+
xsltFreeStylesheet(stylesheet);
144+
xmlFreeDoc(doctree);
145+
xsltFreeSecurityPrefs(xslt_sec_prefs);
146+
xsltFreeTransformContext(xslt_ctxt);
147+
xsltCleanupGlobals();
148+
xml_ereport(ERROR,ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,
149+
"could not set libxslt security preferences");
150+
}
151+
152+
restree=xsltApplyStylesheetUser(stylesheet,doctree,params,
153+
NULL,NULL,xslt_ctxt);
121154

122155
if (restree==NULL)
123156
{
124157
xsltFreeStylesheet(stylesheet);
125158
xmlFreeDoc(doctree);
159+
xsltFreeSecurityPrefs(xslt_sec_prefs);
160+
xsltFreeTransformContext(xslt_ctxt);
126161
xsltCleanupGlobals();
127162
xml_ereport(ERROR,ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,
128163
"failed to apply stylesheet");
@@ -133,6 +168,8 @@ xslt_process(PG_FUNCTION_ARGS)
133168
xsltFreeStylesheet(stylesheet);
134169
xmlFreeDoc(restree);
135170
xmlFreeDoc(doctree);
171+
xsltFreeSecurityPrefs(xslt_sec_prefs);
172+
xsltFreeTransformContext(xslt_ctxt);
136173

137174
xsltCleanupGlobals();
138175

‎doc/src/sgml/xml2.sgml

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -436,14 +436,6 @@ xslt_process(text document, text stylesheet, text paramlist) returns text
436436
contain commas!
437437
</para>
438438

439-
<para>
440-
Also note that if either the document or stylesheet values do not
441-
begin with a &lt; then they will be treated as URLs and libxslt will
442-
fetch them. It follows that you can use <function>xslt_process</> as a
443-
means to fetch the contents of URLs &mdash; you should be aware of the
444-
security implications of this.
445-
</para>
446-
447439
<para>
448440
There is also a two-parameter version of <function>xslt_process</> which
449441
does not pass any parameters to the transformation.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp