Hi all, As CVE-2016-5424 has put recently in light, using LF and CR in database and role names can lead to unexpected problems in the way they are handled in logical backups or generated command lines. There is as well a comment in the code mentioning a potential restriction for that, precisely in fe_utils/string_utils.c: + * Forbid LF or CR characters, which have scant practical use beyond designing + * security breaches. The Windows command shell is unusable as a conduit for + * arguments containing LF or CR characters. A future major release should + * reject those characters in CREATE ROLE and CREATE DATABASE, because use + * there eventually leads to errors here.
Note that pg_dump[all] and pg_upgrade already have safeguards against those things per the same routines putting quotes for execution as commands into psql and shell. So attached is a patch to implement this restriction in the backend, and I am adding that to the next CF for 10.0. Attached is as well a script able to trigger those errors. Thoughts? -- Michael
forbid-cr-lf.patch
Description: invalid/octet-stream
#!/usr/bin/perl
# Generate a string made of the given range of ASCII characters
sub generate_ascii_string
{
my ($from_char, $to_char) = @_;
my $res;
for my $i ($from_char .. $to_char)
{
$res .= sprintf("%c", $i);
}
return $res;
}
my $lf_str = generate_ascii_string(7, 10);
my $cr_str = generate_ascii_string(11, 13);
system('createdb', $lf_str);
system('createdb', $cr_str);
system('createuser', $lf_str);
system('createuser', $cr_str);
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
