Hi, On 2019-04-02 07:35:02 -0500, Brad Nicholson wrote: > Michael Paquier <michael@xxxxxxxxxxx> wrote on 04/02/2019 01:05:01 AM: > > > From: Michael Paquier <michael@xxxxxxxxxxx> > > To: "Jonathan S. Katz" <jkatz@xxxxxxxxxxxxxx> > > Cc: Tom Lane <tgl@xxxxxxxxxxxxx>, Magnus Hagander > > <magnus@xxxxxxxxxxxx>, Daniel Verite <daniel@xxxxxxxxxxxxxxxx>, > > pgsql-general <pgsql-general@xxxxxxxxxxxxxxxxxxxx> > > Date: 04/02/2019 01:05 AM > > Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM > > > > On Mon, Apr 01, 2019 at 10:04:32AM -0400, Jonathan S. Katz wrote: > > > +1, though I’d want to see if people get noisier about it before we > rule > > > out an official response. > > > > > > A blog post from a reputable author who can speak to security should > > > be good enough and we can make noise through our various channels. > > > > Need a hand? Not sure if I am reputable enough though :) > > > > By the way, it could be the occasion to consider an official > > PostgreSQL blog on the main website. News are not really a model > > adapted for problem analysis and for entering into technical details. > > A blog post would be nice, but it seems to me have something about this > clearly in the manual would be best, assuming it's not there already. I > took a quick look, and couldn't find anything. https://www.postgresql.org/docs/devel/sql-copy.html "Note that the command is invoked by the shell, so if you need to pass any arguments to shell command that come from an untrusted source, you must be careful to strip or escape any special characters that might have a special meaning for the shell. For security reasons, it is best to use a fixed command string, or at least avoid passing any user input in it." "Similarly, the command specified with PROGRAM is executed directly by the server, not by the client application, must be executable by the PostgreSQL user. COPY naming a file or command is only allowed to database superusers or users who are granted one of the default roles pg_read_server_files, pg_write_server_files, or pg_execute_server_program, since it allows reading or writing any file or running a program that the server has privileges to access." Those seem reasonable to me? Greetings, Andres Freund
