Re: Path Traversal Vulnerability in pg_dump Directory Format

From: "Jonathan Gonzalez V(dot)" <jonathan(dot)abdiel(at)gmail(dot)com>
To: Dilip Kumar <dilipbalaut(at)gmail(dot)com>
Cc: Imran Zaheer <imran(dot)zhir(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, jchord(at)google(dot)com, dtighe(at)google(dot)com
Subject: Re: Path Traversal Vulnerability in pg_dump Directory Format
Date: 2026-07-14 08:53:50
Message-ID: 87zezuostd.fsf@gmail.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hello!

>> > I was taking a look into the patch and, yes it works as expected, but I
>> > also manage to get the same result of a path traversal having a with a
>> > symlink as follow:
>> >
>> > blob_16388.dat -> ../../../../../../../etc/passwd
>> >
>> > Probably it could be worthy to add the symlink check with lstat() ?
>
> Yeah that makes sense. I have fixed that.

I've tested the patch and now the error it's clear:

pg_restore -f testo-bad3.sql testo.dump-traversal/
pg_restore: error: invalid archive: entry file "testo.dump-traversal//blob_123.dat" is a symbolic link

The only thing that it was a bit weird to me, is that the check using
lstat() was made after checking the traversal path, since this check is
less expensive in terms of functions calls, probably it could be
worthy?

Regards!
--
Jonathan Gonzalez V.
EDB
https://www.enterprisedb.com

In response to

Browse pgsql-hackers by date

  From Date Subject
Previous Message Xing Guo 2026-07-14 08:52:03 [PATCH v1] plpython: Pair SPI_connect and SPI_finish in the same function