From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | Thomas Lockhart <lockhart(at)alumni(dot)caltech(dot)edu>, Postgres Hackers List <hackers(at)postgreSQL(dot)org> |
Subject: | Re: [HACKERS] Re: [PATCHES] createdb/dropdb fixes |
Date: | 1999-12-14 23:44:15 |
Message-ID: | 16628.945215055@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> It's really about statements like this:
> snprintf(buf, sizeof(buf), "rm -rf '%s'", path);
> There is no way around disallowing single-quotes unless you double quote
> the argument and be very careful with the escaping.
Yes. In fact, I'd argue for filtering the names more heavily than that;
just to take a for-example, Bad Things would ensue if we accepted a
database name of "..".
It is easy to devise cases in which accepting leading "." or embedded "/"
leads to disaster; if you think those are OK, allow me to destroy your
installation for you ;-). I haven't yet thought of a way to cause
trouble with a back-quote in a DB name (given that single quotes are
disallowed) ... but I bet some enterprising hacker can find one.
Beyond the bare minimum security issues, I also think we should take
pity on the poor dbadmin who may have to be looking at these
subdirectories or filenames. Is it really a good idea to allow carriage
returns or other control characters in file/directory names? Is it
even a good idea to allow spaces? I don't think so. If we were not
using these names for Unix file/dir names then we could allow anything
we felt like --- but since we are using them that way, I think that the
safest path is to only allow things that are going to look like ordinary
file names when used in Unix shell commands. Otherwise there's still a
big chance of trouble if the dbadmin gets a little bit careless.
> Of course this particular case might as well use unlink(),
Not unless your system's unlink is much different from mine's...
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Don Baccus | 1999-12-15 00:11:39 | Bug or feature? select, count(*), group by and empty tables |
Previous Message | Tom Lane | 1999-12-14 23:28:57 | Re: [HACKERS] ordering RH6.1 |