| From: | "Jonathan Gonzalez V(dot)" <jonathan(dot)abdiel(at)gmail(dot)com> |
|---|---|
| To: | Dilip Kumar <dilipbalaut(at)gmail(dot)com> |
| Cc: | Imran Zaheer <imran(dot)zhir(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, jchord(at)google(dot)com, dtighe(at)google(dot)com |
| Subject: | Re: Path Traversal Vulnerability in pg_dump Directory Format |
| Date: | 2026-07-14 08:53:50 |
| Message-ID: | 87zezuostd.fsf@gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello!
>> > I was taking a look into the patch and, yes it works as expected, but I
>> > also manage to get the same result of a path traversal having a with a
>> > symlink as follow:
>> >
>> > blob_16388.dat -> ../../../../../../../etc/passwd
>> >
>> > Probably it could be worthy to add the symlink check with lstat() ?
>
> Yeah that makes sense. I have fixed that.
I've tested the patch and now the error it's clear:
pg_restore -f testo-bad3.sql testo.dump-traversal/
pg_restore: error: invalid archive: entry file "testo.dump-traversal//blob_123.dat" is a symbolic link
The only thing that it was a bit weird to me, is that the check using
lstat() was made after checking the traversal path, since this check is
less expensive in terms of functions calls, probably it could be
worthy?
Regards!
--
Jonathan Gonzalez V.
EDB
https://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Previous Message | Xing Guo | 2026-07-14 08:52:03 | [PATCH v1] plpython: Pair SPI_connect and SPI_finish in the same function |