Hello!!

Dilip Kumar <[email protected]> writes:
> I would like to submit a patch to address a path traversal
> vulnerability in pg_dump's directory format mode (-F d). Currently,
> filenames listed in directory-format TOC files (toc.dat and
> blobs_*.toc) are treated as trusted when reading an archive during a
> restore. If an archive entry filename is maliciously modified to
> contain path traversal elements (such as ..) or directory separators,
> pg_restore can be tricked into reading files outside the intended
> backup directory.  The attached patch fixes this vulnerability.

I was taking a look into the patch and, yes it works as expected, but I
also manage to get the same result of a path traversal having a with a
symlink as follow:

blob_16388.dat -> ../../../../../../../etc/passwd

Probably it could be worthy to add the symlink check with lstat() ?

Regards,
--
Jonathan Gonzalez V.
EDB
https://www.enterprisedb.com


Reply via email to