Hi all,

As CVE-2016-5424 has put recently in light, using LF and CR in
database and role names can lead to unexpected problems in the way
they are handled in logical backups or generated command lines. There
is as well a comment in the code mentioning a potential restriction
for that, precisely in fe_utils/string_utils.c:
+ * Forbid LF or CR characters, which have scant practical use beyond designing
+ * security breaches.  The Windows command shell is unusable as a conduit for
+ * arguments containing LF or CR characters.  A future major release should
+ * reject those characters in CREATE ROLE and CREATE DATABASE, because use
+ * there eventually leads to errors here.

Note that pg_dump[all] and pg_upgrade already have safeguards against
those things per the same routines putting quotes for execution as
commands into psql and shell. So attached is a patch to implement this
restriction in the backend, and I am adding that to the next CF for
10.0. Attached is as well a script able to trigger those errors.

Attachment: forbid-cr-lf.patch
Description: invalid/octet-stream


# Generate a string made of the given range of ASCII characters
sub generate_ascii_string
    my ($from_char, $to_char) = @_;
    my $res;

    for my $i ($from_char .. $to_char)
	$res .= sprintf("%c", $i);
    return $res;

my $lf_str = generate_ascii_string(7, 10);
my $cr_str = generate_ascii_string(11, 13);

system('createdb', $lf_str);
system('createdb', $cr_str);
system('createuser', $lf_str);
system('createuser', $cr_str);
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to