rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
34,005 Commits 36 Branches 606 Tags 423 MiB
C 86%
PLpgSQL 5.5%
Perl 4.1%
Yacc 1.3%
Makefile 0.7%
Other 2.3%
Go to file
Tom Lane adc97d03b9 Prevent access to external files/URLs via contrib/xml2's xslt_process(). 
libxslt offers the ability to read and write both files and URLs through
stylesheet commands, thus allowing unprivileged database users to both read
and write data with the privileges of the database server.  Disable that
through proper use of libxslt's security options.

Also, remove xslt_process()'s ability to fetch documents and stylesheets
from external files/URLs.  While this was a documented "feature", it was
long regarded as a terrible idea.  The fix for CVE-2012-3489 broke that
capability, and rather than expend effort on trying to fix it, we're just
going to summarily remove it.

While the ability to write as well as read makes this security hole
considerably worse than CVE-2012-3489, the problem is mitigated by the fact
that xslt_process() is not available unless contrib/xml2 is installed,
and the longstanding warnings about security risks from that should have
discouraged prudent DBAs from installing it in security-exposed databases.

Reported and fixed by Peter Eisentraut.

Security: CVE-2012-3488
 		2012-08-14 18:31:18 -04:00
config Put back AC_REQUIRE([AC_STRUCT_TM]). 2012-05-14 23:06:48 -04:00
contrib Prevent access to external files/URLs via contrib/xml2's xslt_process(). 2012-08-14 18:31:18 -04:00
doc Prevent access to external files/URLs via contrib/xml2's xslt_process(). 2012-08-14 18:31:18 -04:00
src Prevent access to external files/URLs via XML entity references. 2012-08-14 18:31:16 -04:00
.gitignore Add gitignore for mingw/cygwin build outputs 2011-06-09 18:11:47 +02:00
COPYRIGHT Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
GNUmakefile.in Make init-po and update-po recursive make targets 2012-06-29 14:01:54 +03:00
Makefile Allow make check in PL directories 2011-02-15 06:52:12 +02:00
README Remove useless whitespace at end of lines 2010-11-23 22:34:55 +02:00
README.git Trivial typo fix. 2010-09-21 14:16:00 -04:00
aclocal.m4 Remove cvs keywords from all files. 2010-09-20 22:08:53 +02:00
configure Add fsync capability to initdb, and use sync_file_range() if available. 2012-07-13 17:16:58 -04:00
configure.in Add fsync capability to initdb, and use sync_file_range() if available. 2012-07-13 17:16:58 -04:00

README 

PostgreSQL Database Management System
=====================================

This directory contains the source code distribution of the PostgreSQL
database management system.

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions, foreign keys, subqueries, triggers, user-defined types
and functions.  This distribution also contains C language bindings.

PostgreSQL has many language interfaces, many of which are listed here:

	http://www.postgresql.org/download

See the file INSTALL for instructions on how to build and install
PostgreSQL.  That file also lists supported operating systems and
hardware platforms and contains information regarding any other
software packages that are required to build or run the PostgreSQL
system.  Changes between all PostgreSQL releases are recorded in the
file HISTORY.  Copyright and license information can be found in the
file COPYRIGHT.  A comprehensive documentation set is included in this
distribution; it can be read as described in the installation
instructions.

The latest version of this software may be obtained at
http://www.postgresql.org/download/.  For more information look at our
web site located at http://www.postgresql.org/.