| From: | Juan José Santamaría Flecha <juanjo(dot)santamaria(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | cilizili(at)protonmail(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #16080: pg_ctl is failed if a fake cmd.exe exist in the current directory. |
| Date: | 2019-10-27 10:07:31 |
| Message-ID: | CAC+AXB1UKiioDZE5WwofFUL7smA2cqf71U2K5mfRNrjTrggiww@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Sat, Oct 26, 2019 at 7:44 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> =?UTF-8?Q?Juan_Jos=C3=A9_Santamar=C3=ADa_Flecha?= <
> juanjo(dot)santamaria(at)gmail(dot)com> writes:
> > On Sat, Oct 26, 2019 at 5:20 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >> Right, but does cmd.exe have a well-defined location in Windows?
> >> I don't think we can know which drive it's on, for starters.
>
> > The environment variable COMSPEC [1] should point to the right location.
>
> Hm. I don't have any objection to using COMSPEC if it's set, but
> of course that changes nothing from a security perspective. It's
> just a different route by which pg_ctl, pg_upgrade, etc can be
> misled.
>
>
The only impact this will have is finding the CMD executable directly,
without having to rely on CreateProcessAsUser() logic.
Please find attached a patch with this simple modification.
Regards,
Juan José Santamaría Flecha
| Attachment | Content-Type | Size |
|---|---|---|
| 0001_find_cmd_using_comspec.patch | application/x-patch | 1.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-10-27 15:42:46 | Re: BUG #16080: pg_ctl is failed if a fake cmd.exe exist in the current directory. |
| Previous Message | Tomas Vondra | 2019-10-26 21:56:46 | Re: BUG #16082: TOAST's pglz_decompress access to uninitialized data, if the database is corrupted. |