Re: [HACKERS] Re: [PATCHES] createdb/dropdb fixes

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> It's really about statements like this:

> snprintf(buf, sizeof(buf), "rm -rf '%s'", path);

> There is no way around disallowing single-quotes unless you double quote
> the argument and be very careful with the escaping.

Yes. In fact, I'd argue for filtering the names more heavily than that;
just to take a for-example, Bad Things would ensue if we accepted a
database name of "..".

It is easy to devise cases in which accepting leading "." or embedded "/"
leads to disaster; if you think those are OK, allow me to destroy your
installation for you ;-). I haven't yet thought of a way to cause
trouble with a back-quote in a DB name (given that single quotes are
disallowed) ... but I bet some enterprising hacker can find one.

Beyond the bare minimum security issues, I also think we should take
pity on the poor dbadmin who may have to be looking at these
subdirectories or filenames. Is it really a good idea to allow carriage
returns or other control characters in file/directory names? Is it
even a good idea to allow spaces? I don't think so. If we were not
using these names for Unix file/dir names then we could allow anything
we felt like --- but since we are using them that way, I think that the
safest path is to only allow things that are going to look like ordinary
file names when used in Unix shell commands. Otherwise there's still a
big chance of trouble if the dbadmin gets a little bit careless.

> Of course this particular case might as well use unlink(),

Not unless your system's unlink is much different from mine's...

regards, tom lane