Path Traversal Vulnerability in pg_dump Directory Format
Dilip Kumar <dilipbalaut@gmail.com>
From: Dilip Kumar <dilipbalaut@gmail.com>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
jchord@google.com, dtighe@google.com
Date: 2026-07-03T06:51:57Z
Lists: pgsql-hackers
Attachments
- v1-0001-pg_dump-Validate-archive-entry-filenames-in-direc.patch (application/octet-stream) patch v1-0001
I would like to submit a patch to address a path traversal vulnerability in pg_dump's directory format mode (-F d). Currently, filenames listed in directory-format TOC files (toc.dat and blobs_*.toc) are treated as trusted when reading an archive during a restore. If an archive entry filename is maliciously modified to contain path traversal elements (such as ..) or directory separators, pg_restore can be tricked into reading files outside the intended backup directory. The attached patch fixes this vulnerability. -- Regards, Dilip Kumar Google