So, this is not an installer issue. Is this bug raised to the PostgreSQL community? If yes, you should submit the patch there.
On Tue, Oct 29, 2013 at 6:23 AM, Naoya Anzai <anzai-na...@mxu.nes.nec.co.jp>wrote: > Hi, Asif > > Thank you for providing my patch (pg_ctl.c.patch) to Sandeep on my behalf. > > > Good finding. I have attached another version of patch > (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of > code changes, can you please take a look ?. Thanks. > > I think your patch is not sufficient to fix. > Not only "pg_ctl.exe" but "postgres.exe" also have the same problem. > Even if your patch is attached, > A Path of "postgres.exe" passed to CreateRestrictedProcess is not enclosed > in quotation.(See pgwin32_ServiceMain at pg_ctl.c) > > So, processing enclosed in quotation should do in both conditions. > > Regards, > Naoya > > --- > Naoya Anzai > Engineering Department > NEC Soft, Ltd. > E-Mail: anzai-na...@mxu.nes.nec.co.jp > --- > > > > Hi Sandeep, > > > > PFA Naoya's patch (pg_ctl.c.patch). > > > > Hi Naoya, > > > > Good finding. I have attached another version of patch > (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of > code changes, can you please take a look ?. Thanks. > > > > Best Regards, > > Asif Naeem > > > > > > On Mon, Oct 28, 2013 at 4:46 PM, Sandeep Thakkar < > sandeep.thak...@enterprisedb.com> wrote: > > > > > > Hi Dave > > > > We register the service using pg_ctl. When I manually executed the > following on the command prompt, I saw that the service path of the > registered service did not have the pg_ctl.exe path in quotes. May be it > should be handled in the pg_ctl code. > > > > c:\Users\Sandeep Thakkar\Documents>"c:\Program > Files\PostgreSQL\9.3\bin\pg_ctl.e > > xe" register -N "pg-9.3" -U "NT AUTHORITY\NetworkService" -D > "c:\Program Files\P > > ostgreSQL\9.3\data" -w > > > > Naoya, I could not find your patch here. Can you please share it > again? > > > > > > > > On Mon, Oct 28, 2013 at 2:53 PM, Dave Page <dp...@pgadmin.org> > wrote: > > > > > > Sandeep, can you look at this please? Thanks. > > > > On Mon, Oct 28, 2013 at 8:18 AM, Asif Naeem < > anaeem...@gmail.com> wrote: > > > It is related to windows unquoted service path > vulnerability in the the > > > installer that creates service path without quotes that > make service.exe to > > > look for undesirable path for executable. > > > > > > postgresql-9.3 service path : > C:/Users/asif/Desktop/Program > > > files/9.3/bin/pg_ctl.exe runservice -N "postgresql-9.3" > -D > > > "C:/Users/asif/Desktop/Program files/9.3/data" -w > > > > > > service.exe > > >> > > >> C:\Users\asif\Desktop\Program NAME NOT FOUND > > >> C:\Users\asif\Desktop\Program.exe NAME NOT FOUND > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > ACCESS DENIED > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > ACCESS DENIED > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice NAME > > >> NOT FOUND > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice.exe > > >> NAME NOT FOUND > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> NAME NOT FOUND > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N.exe > > >> NAME NOT FOUND > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" NAME INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3".exe NAME INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" -D NAME INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" -D.exe NAME INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program NAME > INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program.exe > NAME INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program > files\9.3\data" NAME > > >> INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program > files\9.3\data".exe > > >> NAME INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program > files\9.3\data" -w > > >> NAME INVALID > > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe > runservice -N > > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program > files\9.3\data" -w.exe > > >> NAME INVALID > > > > > > > > > Fix : > > > > > > postgresql-9.3 service path : > "C:/Users/asif/Desktop/Program > > > files/9.3/bin/pg_ctl.exe" runservice -N "postgresql-9.3" > -D > > > "C:/Users/asif/Desktop/Program files/9.3/data" -w > > > > > > It would be good if this is reported on pg installer > forum or security > > > forum. Thanks. > > > > > > Regards, > > > Asif Naeem > > > > > > On Mon, Oct 28, 2013 at 12:06 PM, Naoya Anzai > > > <anzai-na...@mxu.nes.nec.co.jp> wrote: > > >> > > >> Hi, Asif. > > >> > > >> Thank you for response. > > >> > > >> > > >> > C:\Users\asif\Desktop\Program > files\9.3>"bin\pg_ctl" -D > > >> > "C:\Users\asif\Desktop\Program files\9.3\data1" -l > logfile start > > >> > server starting > > >> > > >> This failure does not occur by the command line. > > >> PostgreSQL needs to start by Windows Service. > > >> > > >> Additionally,In this case, > > >> A file "Program" needs to be exist at > "C:\Users\asif\Desktop\", and > > >> "postgres.exe" needs to be exist at > "C:\Users\asif\Desktop\Program > > >> files\9.3\bin". > > >> ------------ > > >> C:\Users\asif\Desktop\Program files\9.3\bin>dir > > >> ... > > >> 4,435,456 postgres.exe > > >> 80,896 pg_ctl.exe > > >> ... > > >> > > >> C:\Users\asif\Desktopp>dir > > >> ... > > >> 0 Program > > >> <DIR> Program files > > >> ... > > >> ------------ > > >> > > >> Regards, > > >> Naoya > > >> > > >> > Hi Naoya, > > >> > > > >> > I am not able to reproduce the problem. Do you mean > pg windows service > > >> > installed by installer is not working or bin\pg_ctl > binary is not accepting > > >> > spaces in the patch ?. Following worked for me i.e. > > >> > > > >> > > > >> > C:\Users\asif\Desktop\Program > files\9.3>"bin\pg_ctl" -D > > >> > "C:\Users\asif\Desktop\Program files\9.3\data1" -l > logfile start > > >> > server starting > > >> > > > >> > > > >> > Can you please share the exact steps ?. Thanks. > > >> > > > >> > > > >> > Regards, > > >> > Muhammad Asif Naeem > > >> > > > >> > > > >> > > > >> > On Mon, Oct 28, 2013 at 10:26 AM, Naoya Anzai > > >> > <anzai-na...@mxu.nes.nec.co.jp> wrote: > > >> > > > >> > > > >> > Hi All, > > >> > > > >> > I have found a case that PostgreSQL Service > does not start. > > >> > When it happens, the following error appears. > > >> > > > >> > "is not a valid Win32 application" > > >> > > > >> > This failure occurs when the following > conditions are true. > > >> > > > >> > 1. There is "postgres.exe" in any directory > that contains a space, > > >> > such as "Program Files". > > >> > > > >> > e.g.) > > >> > C:\Program Files\PostgreSQL\bin\postgres.exe > > >> > > > >> > 2. A file using the first white space-delimited > > >> > tokens of that directory as the file name > exists, > > >> > and there is it in the same hierarchy. > > >> > > > >> > e.g.) > > >> > C:\Program //file > > >> > > > >> > "pg_ctl.exe" as PostgreSQL Service creates a > postgres > > >> > process using an absolute path which indicates > the > > >> > location of "postgres.exe",but the path is not > enclosed > > >> > in quotation. > > >> > > > >> > Therefore,if the above-mentioned conditions are > true, > > >> > CreateProcessAsUser(a Windows Function called > by pg_ctl.exe) > > >> > tries to create a process using the other file > such > > >> > as "Program", so the service fails to start. > > >> > > > >> > Accordingly, I think that the command path > should be > > >> > enclosed in quotation. > > >> > > > >> > I created a patch to fix this failure, > > >> > So could anyone confirm? > > >> > > > >> > Regards, > > >> > > > >> > Naoya > > >> > > > >> > --- > > >> > Naoya Anzai > > >> > Engineering Department > > >> > NEC Soft, Ltd. > > >> > E-Mail: anzai-na...@mxu.nes.nec.co.jp > > >> > --- > > >> > > > >> > > > >> > -- > > >> > Sent via pgsql-hackers mailing list ( > pgsql-hackers@postgresql.org) > > >> > To make changes to your subscription: > > >> > > http://www.postgresql.org/mailpref/pgsql-hackers > > >> > > > >> > > > >> > > > >> > > > >> >> > > > > > > -- > > Dave Page > > Blog: http://pgsnake.blogspot.com > > Twitter: @pgsnake > > > > EnterpriseDB UK: http://www.enterprisedb.com > > The Enterprise PostgreSQL Company > > > > > > > > > > > > -- > > > > Sandeep Thakkar > > Senior Software Engineer > > > > > > Phone: +91.20.30589505 <tel:%2B91.20.30589505> > > > > Website: www.enterprisedb.com > > EnterpriseDB Blog: http://blogs.enterprisedb.com/ > > Follow us on Twitter: http://www.twitter.com/enterprisedb > > > > > > > > > > > > > > > > -- Sandeep Thakkar Senior Software Engineer Phone: +91.20.30589505 Website: www.enterprisedb.com EnterpriseDB Blog: http://blogs.enterprisedb.com/ Follow us on Twitter: http://www.twitter.com/enterprisedb
