Thread: bug or not bug, xmlvalidate(xml, text) can read and show one line from file
bug or not bug, xmlvalidate(xml, text) can read and show one line from file
From
Sergey Burladyan
Date:
Hi, all
seb=3D> select version();
version
---------------------------------------------------------------------------=
-----------------------------------------
PostgreSQL 8.3.0 on x86_64-pc-linux-gnu, compiled by GCC=20
x86_64-pc-linux-gnu-gcc (GCC) 4.1.2 (Gentoo 4.1.2 p1.0.2)
xmlvalidate(xml, text) trying to read from file and if it is not correct -=
=20
notice error with first readed line. it is ok and good, but xmlvalidate can=
=20
read from _any_ file what DB process can access for read.
for example:
seb=3D> select xmlvalidate(xml('<a foo=3D"bar">test<b>message in=20
b</b></a>'), '/etc/passwd');
ERROR: could not load DTD
=D0=9F=D0=9E=D0=94=D0=A0=D0=9E=D0=91=D0=9D=D0=9E: /etc/passwd:1: parser er=
ror : Content error in the external subset
root:x:0:0:root:/root:/bin/bash
^
seb=3D> select xmlvalidate(xml('<a foo=3D"bar">test<b>message in=20
b</b></a>'), '../data/postmaster.opts');
ERROR: could not load DTD
=D0=9F=D0=9E=D0=94=D0=A0=D0=9E=D0=91=D0=9D=D0=9E: ../data/postmaster.opts:=
1: parser error : Content error in the=20
external subset
/usr/lib64/postgresql-8.3/bin/postgres -D /var/lib/postgresql/8.3/data --si=
lent-
^
first line from private server ssl key :)
seb=3D> select xmlvalidate(xml('<a foo=3D"bar">test<b>message in=20
b</b></a>'), '../data/server.key');
ERROR: could not load DTD
=D0=9F=D0=9E=D0=94=D0=A0=D0=9E=D0=91=D0=9D=D0=9E: ../data/server.key:1: pa=
rser error : Content error in the external=20
subset
-----BEGIN RSA PRIVATE KEY-----
^
i don't know is this bug or security issue or not...
Sergey Burladyan <eshkinkot@gmail.com> writes:
> [ xmlvalidate is a security hole ]
Given that this function is not documented nor tested in the regression
tests, I propose diking it out entirely.
regards, tom lane
Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file
From
Peter Eisentraut
Date:
Am Freitag, 29. Februar 2008 schrieb Tom Lane: > Sergey Burladyan <eshkinkot@gmail.com> writes: > > [ xmlvalidate is a security hole ] > > Given that this function is not documented nor tested in the regression > tests, I propose diking it out entirely. Yes, it was accidentally left over from previous work. We should have removed it before the release, but that would have required an initdb.
Re: bug or not bug, xmlvalidate(xml, text) can read and show one line from file
From
Alvaro Herrera
Date:
Peter Eisentraut escribió: > Am Freitag, 29. Februar 2008 schrieb Tom Lane: > > Sergey Burladyan <eshkinkot@gmail.com> writes: > > > [ xmlvalidate is a security hole ] > > > > Given that this function is not documented nor tested in the regression > > tests, I propose diking it out entirely. > > Yes, it was accidentally left over from previous work. We should have removed > it before the release, but that would have required an initdb. So let's change it for a function that elog(ERROR)s on entry. -- Alvaro Herrera http://www.CommandPrompt.com/ PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Alvaro Herrera <alvherre@commandprompt.com> writes:
> Peter Eisentraut escribi�:
>> Yes, it was accidentally left over from previous work. We should have removed
>> it before the release, but that would have required an initdb.
> So let's change it for a function that elog(ERROR)s on entry.
Yeah, I was just going to make it throw a "not implemented" error.
regards, tom lane