| From: | "Jonathan Gonzalez V(dot)" <jonathan(dot)abdiel(at)gmail(dot)com> |
|---|---|
| To: | Dilip Kumar <dilipbalaut(at)gmail(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, jchord(at)google(dot)com, dtighe(at)google(dot)com |
| Subject: | Re: Path Traversal Vulnerability in pg_dump Directory Format |
| Date: | 2026-07-03 15:07:17 |
| Message-ID: | 87zf089knu.fsf@gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello!!
Dilip Kumar <dilipbalaut(at)gmail(dot)com> writes:
> I would like to submit a patch to address a path traversal
> vulnerability in pg_dump's directory format mode (-F d). Currently,
> filenames listed in directory-format TOC files (toc.dat and
> blobs_*.toc) are treated as trusted when reading an archive during a
> restore. If an archive entry filename is maliciously modified to
> contain path traversal elements (such as ..) or directory separators,
> pg_restore can be tricked into reading files outside the intended
> backup directory. The attached patch fixes this vulnerability.
I was taking a look into the patch and, yes it works as expected, but I
also manage to get the same result of a path traversal having a with a
symlink as follow:
blob_16388.dat -> ../../../../../../../etc/passwd
Probably it could be worthy to add the symlink check with lstat() ?
Regards,
--
Jonathan Gonzalez V.
EDB
https://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2026-07-03 15:17:40 | Re: [PATCH] Resolve unknown-type literals in GRAPH_TABLE COLUMNS |
| Previous Message | Fujii Masao | 2026-07-03 15:06:44 | Re: Truncate logs by max_log_size |