Skip site navigation (1) Skip section navigation (2)

Re: syntax error causes crafted data to be executed in shell

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Thomer M(dot) Gil" <postgresql(at)thomer(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: syntax error causes crafted data to be executed in shell
Date: 2004-12-17 19:32:10
Message-ID: 22001.1103311930@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugs
"Thomer M. Gil" <postgresql(at)thomer(dot)com> writes:
> More details and the, in my opinion, somewhat reckless response by one
> of the Debian postgresql package maintainers are available at:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285844

The response you're going to get here is not a lot different from what
you got there, mainly because it's mostly the same people here ;-).

I tend to agree with Peter that you haven't presented a reason to panic.
I'm not aware of any supported situation where psql would fail to parse
a COPY command output by pg_dump.  It could happen when trying to load
newer dump data into an older server, but that's unsupported, and we
have no way to retroactively fix the behavior of older versions anyway.
So there's no point in treating this as a security issue.

Still, it looks like it would be relatively easy to suppress evaluation
of backticked arguments once we recognize that the backslash command has
failed, and I would say that that's a reasonable change to make on the
principle of least surprise.

			regards, tom lane

In response to

Responses

pgsql-bugs by date

Next:From: mjmayfieldDate: 2004-12-17 19:50:00
Subject: unsubscribe pgsql-admin
Previous:From: Thomer M. GilDate: 2004-12-17 18:38:02
Subject: syntax error causes crafted data to be executed in shell

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group