Skip site navigation (1) Skip section navigation (2)

pgsql: Prevent access to external files/URLs via XML entityreferences.

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: Prevent access to external files/URLs via XML entityreferences.
Date: 2012-08-14 22:33:41
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-committers
Prevent access to external files/URLs via XML entity references.

xml_parse() would attempt to fetch external files or URLs as needed to
resolve DTD and entity references in an XML value, thus allowing
unprivileged database users to attempt to fetch data with the privileges
of the database server.  While the external data wouldn't get returned
directly to the user, portions of it could be exposed in error messages
if the data didn't parse as valid XML; and in any case the mere ability
to check existence of a file might be useful to an attacker.

The ideal solution to this would still allow fetching of references that
are listed in the host system's XML catalogs, so that documents can be
validated according to installed DTDs.  However, doing that with the
available libxml2 APIs appears complex and error-prone, so we're not going
to risk it in a security patch that necessarily hasn't gotten wide review.
So this patch merely shuts off all access, causing any external fetch to
silently expand to an empty string.  A future patch may improve this.

In HEAD and 9.2, also suppress warnings about undefined entities, which
would otherwise occur as a result of not loading referenced DTDs.  Previous
branches don't show such warnings anyway, due to different error handling

Credit to Noah Misch for first reporting the problem, and for much work
towards a solution, though this simplistic approach was not his preference.
Also thanks to Daniel Veillard for consultation.

Security: CVE-2012-3489



Modified Files
src/backend/utils/adt/xml.c         |   28 ++++++++++++++++++++++++++++
src/test/regress/expected/xml.out   |   20 ++++++++++++++++++++
src/test/regress/expected/xml_1.out |   14 ++++++++++++++
src/test/regress/sql/xml.sql        |    6 ++++++
4 files changed, 68 insertions(+), 0 deletions(-)

pgsql-committers by date

Next:From: Tom LaneDate: 2012-08-14 22:33:42
Subject: pgsql: Prevent access to external files/URLs via XML entityreferences.
Previous:From: Peter EisentrautDate: 2012-08-14 20:44:21
Subject: pgsql: Translation updates

Privacy Policy | About PostgreSQL
Copyright © 1996-2018 The PostgreSQL Global Development Group