| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Forbid use of LF and CR characters in database and role names |
| Date: | 2016-08-12 01:12:15 |
| Message-ID: | CAB7nPqRbDwmrZW-W6QW6AwiL1WoZJO4XJ-b1+_O4xyy67zn=Fw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi all,
As CVE-2016-5424 has put recently in light, using LF and CR in
database and role names can lead to unexpected problems in the way
they are handled in logical backups or generated command lines. There
is as well a comment in the code mentioning a potential restriction
for that, precisely in fe_utils/string_utils.c:
+ * Forbid LF or CR characters, which have scant practical use beyond designing
+ * security breaches. The Windows command shell is unusable as a conduit for
+ * arguments containing LF or CR characters. A future major release should
+ * reject those characters in CREATE ROLE and CREATE DATABASE, because use
+ * there eventually leads to errors here.
Note that pg_dump[all] and pg_upgrade already have safeguards against
those things per the same routines putting quotes for execution as
commands into psql and shell. So attached is a patch to implement this
restriction in the backend, and I am adding that to the next CF for
10.0. Attached is as well a script able to trigger those errors.
Thoughts?
--
Michael
| Attachment | Content-Type | Size |
|---|---|---|
| forbid-cr-lf.patch | invalid/octet-stream | 3.2 KB |
| createddl.pl | text/x-perl-script | 466 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2016-08-12 01:17:00 | Re: condition variables |
| Previous Message | Thomas Munro | 2016-08-12 00:44:26 | Re: condition variables |