| From: | Imran Zaheer <imran(dot)zhir(at)gmail(dot)com> |
|---|---|
| To: | "Jonathan Gonzalez V(dot)" <jonathan(dot)abdiel(at)gmail(dot)com> |
| Cc: | Dilip Kumar <dilipbalaut(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, jchord(at)google(dot)com, dtighe(at)google(dot)com |
| Subject: | Re: Path Traversal Vulnerability in pg_dump Directory Format |
| Date: | 2026-07-03 17:23:38 |
| Message-ID: | CA+UBfa=8juMS2sUQZoVZhj-K6dqrvfvosGvn7w9m-dsc+tbF7A@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi
+ strstr(relativeFilename, "..") != NULL ||
This will also reject a valid unix filename i.e. "blob..1.toc" which
are unrelated to path traversal. Should we care about such file names
here?
Thanks
Imran Zaheer
On Fri, Jul 3, 2026 at 8:07 PM Jonathan Gonzalez V.
<jonathan(dot)abdiel(at)gmail(dot)com> wrote:
>
>
> Hello!!
>
> Dilip Kumar <dilipbalaut(at)gmail(dot)com> writes:
> > I would like to submit a patch to address a path traversal
> > vulnerability in pg_dump's directory format mode (-F d). Currently,
> > filenames listed in directory-format TOC files (toc.dat and
> > blobs_*.toc) are treated as trusted when reading an archive during a
> > restore. If an archive entry filename is maliciously modified to
> > contain path traversal elements (such as ..) or directory separators,
> > pg_restore can be tricked into reading files outside the intended
> > backup directory. The attached patch fixes this vulnerability.
>
> I was taking a look into the patch and, yes it works as expected, but I
> also manage to get the same result of a path traversal having a with a
> symlink as follow:
>
> blob_16388.dat -> ../../../../../../../etc/passwd
>
> Probably it could be worthy to add the symlink check with lstat() ?
>
> Regards,
> --
> Jonathan Gonzalez V.
> EDB
> https://www.enterprisedb.com
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Antonin Houska | 2026-07-03 17:26:17 | Re: REPACK CONCURRENTLY fails on tables with generated columns |
| Previous Message | Nisha Moond | 2026-07-03 16:45:14 | Re: Support EXCEPT for TABLES IN SCHEMA publications |