bug or not bug, xmlvalidate(xml, text) can read and show one line from file

Started by Sergey Burladyanabout 18 years ago5 messageshackersbugs

eshkinkot@gmail.com

about 18 years ago

hackersbugs

Hi, all

seb=> select version();
version
--------------------------------------------------------------------------------------------------------------------
PostgreSQL 8.3.0 on x86_64-pc-linux-gnu, compiled by GCC
x86_64-pc-linux-gnu-gcc (GCC) 4.1.2 (Gentoo 4.1.2 p1.0.2)

xmlvalidate(xml, text) trying to read from file and if it is not correct -
notice error with first readed line. it is ok and good, but xmlvalidate can
read from _any_ file what DB process can access for read.

for example:

seb=> select xmlvalidate(xml('<a foo="bar">testmessage in
b</a>'), '/etc/passwd');
ERROR: could not load DTD
ПОДРОБНО: /etc/passwd:1: parser error : Content error in the external subset
root:x:0:0:root:/root:/bin/bash
^

seb=> select xmlvalidate(xml('<a foo="bar">testmessage in
b</a>'), '../data/postmaster.opts');
ERROR: could not load DTD
ПОДРОБНО: ../data/postmaster.opts:1: parser error : Content error in the
external subset
/usr/lib64/postgresql-8.3/bin/postgres -D /var/lib/postgresql/8.3/data --silent-
^

first line from private server ssl key :)

seb=> select xmlvalidate(xml('<a foo="bar">testmessage in
b</a>'), '../data/server.key');
ERROR: could not load DTD
ПОДРОБНО: ../data/server.key:1: parser error : Content error in the external
subset
-----BEGIN RSA PRIVATE KEY-----
^

i don't know is this bug or security issue or not...

Tom Lane

tgl@sss.pgh.pa.us

about 18 years ago

In reply to: Sergey Burladyan (#1)

hackersbugs

Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file

Sergey Burladyan <eshkinkot@gmail.com> writes:

[ xmlvalidate is a security hole ]

Given that this function is not documented nor tested in the regression
tests, I propose diking it out entirely.

regards, tom lane

Peter Eisentraut

peter_e@gmx.net

about 18 years ago

In reply to: Tom Lane (#2)

hackersbugs

Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file

Am Freitag, 29. Februar 2008 schrieb Tom Lane:

Sergey Burladyan <eshkinkot@gmail.com> writes:

[ xmlvalidate is a security hole ]

Given that this function is not documented nor tested in the regression
tests, I propose diking it out entirely.

Yes, it was accidentally left over from previous work. We should have removed
it before the release, but that would have required an initdb.

Alvaro Herrera

alvherre@2ndquadrant.com

about 18 years ago

In reply to: Peter Eisentraut (#3)

hackersbugs

Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file

Peter Eisentraut escribiï¿½:

Am Freitag, 29. Februar 2008 schrieb Tom Lane:

Sergey Burladyan <eshkinkot@gmail.com> writes:

[ xmlvalidate is a security hole ]

Given that this function is not documented nor tested in the regression
tests, I propose diking it out entirely.

Yes, it was accidentally left over from previous work. We should have removed
it before the release, but that would have required an initdb.

So let's change it for a function that elog(ERROR)s on entry.

--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

Tom Lane

tgl@sss.pgh.pa.us

about 18 years ago

In reply to: Alvaro Herrera (#4)

hackersbugs

Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file

Alvaro Herrera <alvherre@commandprompt.com> writes:

Peter Eisentraut escribi�:

Yes, it was accidentally left over from previous work. We should have removed
it before the release, but that would have required an initdb.

So let's change it for a function that elog(ERROR)s on entry.

Yeah, I was just going to make it throw a "not implemented" error.

regards, tom lane