From 2ec75967d9ddd20378e03a5e7c46cb126972747c Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 14 Aug 2012 18:28:37 -0400 Subject: Prevent access to external files/URLs via contrib/xml2's xslt_process(). libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented "feature", it was long regarded as a terrible idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. While the ability to write as well as read makes this security hole considerably worse than CVE-2012-3489, the problem is mitigated by the fact that xslt_process() is not available unless contrib/xml2 is installed, and the longstanding warnings about security risks from that should have discouraged prudent DBAs from installing it in security-exposed databases. Reported and fixed by Peter Eisentraut. Security: CVE-2012-3488 --- contrib/xml2/sql/xml2.sql | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'contrib/xml2/sql') diff --git a/contrib/xml2/sql/xml2.sql b/contrib/xml2/sql/xml2.sql index 4a996af7167..ac49cfa7c52 100644 --- a/contrib/xml2/sql/xml2.sql +++ b/contrib/xml2/sql/xml2.sql @@ -122,3 +122,18 @@ SELECT xslt_process('cim30400 $$::text, 'n1="v1",n2="v2",n3="v3",n4="v4",n5="v5",n6="v6",n7="v7",n8="v8",n9="v9",n10="v10",n11="v11",n12="v12"'::text); + +-- possible security exploit +SELECT xslt_process('Hello from XML', +$$ + + + + + + + +$$); -- cgit v1.2.3