Path Traversal Vulnerability in pg_dump Directory Format

Dilip Kumar <dilipbalaut@gmail.com>

From: Dilip Kumar <dilipbalaut@gmail.com>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, jchord@google.com, dtighe@google.com
Date: 2026-07-03T06:51:57Z
Lists: pgsql-hackers

Attachments

I would like to submit a patch to address a path traversal
vulnerability in pg_dump's directory format mode (-F d). Currently,
filenames listed in directory-format TOC files (toc.dat and
blobs_*.toc) are treated as trusted when reading an archive during a
restore. If an archive entry filename is maliciously modified to
contain path traversal elements (such as ..) or directory separators,
pg_restore can be tricked into reading files outside the intended
backup directory.  The attached patch fixes this vulnerability.

-- 
Regards,
Dilip Kumar
Google