git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Tue, 14 Aug 2012 22:28:42 +0000 (18:28 -0400)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Tue, 14 Aug 2012 22:32:03 +0000 (18:32 -0400)
commit	e76e25228600709a1b641341be39bef061a36116
tree	4eba1da5dfdeb99cf2c58f0f0786bfedca3dd13d	tree \| snapshot
parent	0df2da9d72b1ab578b1151c33ab434c592e1db4e	commit \| diff

Prevent access to external files/URLs via contrib/xml2's xslt_process().

libxslt offers the ability to read and write both files and URLs through
stylesheet commands, thus allowing unprivileged database users to both read
and write data with the privileges of the database server.  Disable that
through proper use of libxslt's security options.

Also, remove xslt_process()'s ability to fetch documents and stylesheets
from external files/URLs.  While this was a documented "feature", it was
long regarded as a terrible idea.  The fix for CVE-2012-3489 broke that
capability, and rather than expend effort on trying to fix it, we're just
going to summarily remove it.

While the ability to write as well as read makes this security hole
considerably worse than CVE-2012-3489, the problem is mitigated by the fact
that xslt_process() is not available unless contrib/xml2 is installed,
and the longstanding warnings about security risks from that should have
discouraged prudent DBAs from installing it in security-exposed databases.

Reported and fixed by Peter Eisentraut.

Security: CVE-2012-3488

contrib/xml2/expected/xml2.out		diff \| blob \| blame \| history
contrib/xml2/expected/xml2_1.out		diff \| blob \| blame \| history
contrib/xml2/sql/xml2.sql		diff \| blob \| blame \| history
contrib/xml2/xslt_proc.c		diff \| blob \| blame \| history
doc/src/sgml/xml2.sgml		diff \| blob \| blame \| history