Convert newlines to spaces in names written in v11+ pg_dump comments.
Noah Misch <noah@leadboat.com>
Convert newlines to spaces in names written in v11+ pg_dump comments. Maliciously-crafted object names could achieve SQL injection during restore. CVE-2012-0868 fixed this class of problem at the time, but later work reintroduced three cases. Commit bc8cd50fefd369b217f80078585c486505aafb62 (back-patched to v11+ in 2023-05 releases) introduced the pg_dump case. Commit 6cbdbd9e8d8f2986fde44f2431ed8d0c8fce7f5d (v12+) introduced the two pg_dumpall cases. Move sanitize_line(), unchanged, to dumputils.c so pg_dumpall has access to it in all supported versions. Back-patch to v13 (all supported versions). Reviewed-by: Robert Haas <robertmhaas@gmail.com> Reviewed-by: Nathan Bossart <nathandbossart@gmail.com> Backpatch-through: 13 Security: CVE-2025-8715
Files
| Path | Change | +/− |
|---|---|---|
| src/bin/pg_dump/dumputils.c | modified | +37 −0 |
| src/bin/pg_dump/dumputils.h | modified | +1 −0 |
| src/bin/pg_dump/pg_backup_archiver.c | modified | +0 −37 |
| src/bin/pg_dump/pg_dumpall.c | modified | +9 −2 |
| src/bin/pg_dump/pg_dump.c | modified | +4 −1 |
| src/bin/pg_dump/t/002_pg_dump.pl | modified | +21 −0 |
| src/bin/pg_dump/t/003_pg_dump_with_server.pl | modified | +17 −2 |