rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-08-21 18:03:22 +02:00
Code Issues Packages Projects Releases Wiki Activity
fcd15f1358
postgresql/src/bin/pg_upgrade
History
Noah Misch fcd15f1358 Obstruct shell, SQL, and conninfo injection via database and role names. 
Due to simplistic quoting and confusion of database names with conninfo
strings, roles with the CREATEDB or CREATEROLE option could escalate to
superuser privileges when a superuser next ran certain maintenance
commands.  The new coding rule for PQconnectdbParams() calls, documented
at conninfo_array_parse(), is to pass expand_dbname=true and wrap
literal database names in a trivial connection string.  Escape
zero-length values in appendConnStrVal().  Back-patch to 9.1 (all
supported versions).

Nathan Bossart, Michael Paquier, and Noah Misch.  Reviewed by Peter
Eisentraut.  Reported by Nathan Bossart.

Security: CVE-2016-5424
2016-08-08 10:07:46 -04:00
..
.gitignore Move pg_upgrade from contrib/ to src/bin/ 2015-04-14 19:26:38 -04:00
check.c Obstruct shell, SQL, and conninfo injection via database and role names. 2016-08-08 10:07:46 -04:00
controldata.c pgindent run for 9.6 2016-06-09 18:02:36 -04:00
dump.c Obstruct shell, SQL, and conninfo injection via database and role names. 2016-08-08 10:07:46 -04:00
exec.c Update copyright for 2016 2016-01-02 13:33:40 -05:00
file.c Reword bogus comment 2016-06-16 12:43:35 -04:00
function.c Update copyright for 2016 2016-01-02 13:33:40 -05:00
IMPLEMENTATION Move pg_upgrade from contrib/ to src/bin/ 2015-04-14 19:26:38 -04:00
info.c Improve pg_upgrade's report about failure to match up old and new tables. 2016-05-06 14:45:01 -04:00
Makefile Obstruct shell, SQL, and conninfo injection via database and role names. 2016-08-08 10:07:46 -04:00
option.c Fix typos. 2016-03-15 18:06:11 -04:00
parallel.c Update copyright for 2016 2016-01-02 13:33:40 -05:00
pg_upgrade.c Obstruct shell, SQL, and conninfo injection via database and role names. 2016-08-08 10:07:46 -04:00
pg_upgrade.h Remove unused prototype 2016-06-16 12:06:51 -04:00
relfilenode.c pg_upgrade: Don't overwrite existing files. 2016-06-06 09:51:56 -04:00
server.c Obstruct shell, SQL, and conninfo injection via database and role names. 2016-08-08 10:07:46 -04:00
tablespace.c pgindent run for 9.6 2016-06-09 18:02:36 -04:00
test.sh Obstruct shell, SQL, and conninfo injection via database and role names. 2016-08-08 10:07:46 -04:00
TESTING Move pg_upgrade from contrib/ to src/bin/ 2015-04-14 19:26:38 -04:00
util.c Update copyright for 2016 2016-01-02 13:33:40 -05:00
version.c Obstruct shell, SQL, and conninfo injection via database and role names. 2016-08-08 10:07:46 -04:00