| Lists: | pgsql-bugspgsql-hackers |
|---|
| From: | Sergey Burladyan <eshkinkot(at)gmail(dot)com> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | bug or not bug, xmlvalidate(xml, text) can read and show one line from file |
| Date: | 2008-02-29 14:57:27 |
| Message-ID: | 200802291757.27749.eshkinkot@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs pgsql-hackers |
Hi, all
seb=> select version();
version
--------------------------------------------------------------------------------------------------------------------
PostgreSQL 8.3.0 on x86_64-pc-linux-gnu, compiled by GCC
x86_64-pc-linux-gnu-gcc (GCC) 4.1.2 (Gentoo 4.1.2 p1.0.2)
xmlvalidate(xml, text) trying to read from file and if it is not correct -
notice error with first readed line. it is ok and good, but xmlvalidate can
read from _any_ file what DB process can access for read.
for example:
seb=> select xmlvalidate(xml('<a foo="bar">test<b>message in
b</b></a>'), '/etc/passwd');
ERROR: could not load DTD
ПОДРОБНО: /etc/passwd:1: parser error : Content error in the external subset
root:x:0:0:root:/root:/bin/bash
^
seb=> select xmlvalidate(xml('<a foo="bar">test<b>message in
b</b></a>'), '../data/postmaster.opts');
ERROR: could not load DTD
ПОДРОБНО: ../data/postmaster.opts:1: parser error : Content error in the
external subset
/usr/lib64/postgresql-8.3/bin/postgres -D /var/lib/postgresql/8.3/data --silent-
^
first line from private server ssl key :)
seb=> select xmlvalidate(xml('<a foo="bar">test<b>message in
b</b></a>'), '../data/server.key');
ERROR: could not load DTD
ПОДРОБНО: ../data/server.key:1: parser error : Content error in the external
subset
-----BEGIN RSA PRIVATE KEY-----
^
i don't know is this bug or security issue or not...
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Sergey Burladyan <eshkinkot(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file |
| Date: | 2008-02-29 16:26:04 |
| Message-ID: | 4330.1204302364@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs pgsql-hackers |
Sergey Burladyan <eshkinkot(at)gmail(dot)com> writes:
> [ xmlvalidate is a security hole ]
Given that this function is not documented nor tested in the regression
tests, I propose diking it out entirely.
regards, tom lane
| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Sergey Burladyan <eshkinkot(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file |
| Date: | 2008-02-29 19:30:10 |
| Message-ID: | 200802292030.15661.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs pgsql-hackers |
Am Freitag, 29. Februar 2008 schrieb Tom Lane:
> Sergey Burladyan <eshkinkot(at)gmail(dot)com> writes:
> > [ xmlvalidate is a security hole ]
>
> Given that this function is not documented nor tested in the regression
> tests, I propose diking it out entirely.
Yes, it was accidentally left over from previous work. We should have removed
it before the release, but that would have required an initdb.
| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-bugs(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Sergey Burladyan <eshkinkot(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file |
| Date: | 2008-02-29 19:42:27 |
| Message-ID: | 20080229194227.GO4673@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs pgsql-hackers |
Peter Eisentraut escribió:
> Am Freitag, 29. Februar 2008 schrieb Tom Lane:
> > Sergey Burladyan <eshkinkot(at)gmail(dot)com> writes:
> > > [ xmlvalidate is a security hole ]
> >
> > Given that this function is not documented nor tested in the regression
> > tests, I propose diking it out entirely.
>
> Yes, it was accidentally left over from previous work. We should have removed
> it before the release, but that would have required an initdb.
So let's change it for a function that elog(ERROR)s on entry.
--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-bugs(at)postgresql(dot)org, Sergey Burladyan <eshkinkot(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file |
| Date: | 2008-02-29 19:47:51 |
| Message-ID: | 11373.1204314471@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs pgsql-hackers |
Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> Peter Eisentraut escribi:
>> Yes, it was accidentally left over from previous work. We should have removed
>> it before the release, but that would have required an initdb.
> So let's change it for a function that elog(ERROR)s on entry.
Yeah, I was just going to make it throw a "not implemented" error.
regards, tom lane