mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-12-27 08:39:28 +08:00
adc97d03b9
libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented "feature", it was long regarded as a terrible idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. While the ability to write as well as read makes this security hole considerably worse than CVE-2012-3489, the problem is mitigated by the fact that xslt_process() is not available unless contrib/xml2 is installed, and the longstanding warnings about security risks from that should have discouraged prudent DBAs from installing it in security-exposed databases. Reported and fixed by Peter Eisentraut. Security: CVE-2012-3488 |
||
---|---|---|
.. | ||
adminpack | ||
auth_delay | ||
auto_explain | ||
btree_gin | ||
btree_gist | ||
chkpass | ||
citext | ||
cube | ||
dblink | ||
dict_int | ||
dict_xsyn | ||
dummy_seclabel | ||
earthdistance | ||
file_fdw | ||
fuzzystrmatch | ||
hstore | ||
intagg | ||
intarray | ||
isn | ||
lo | ||
ltree | ||
oid2name | ||
pageinspect | ||
passwordcheck | ||
pg_archivecleanup | ||
pg_buffercache | ||
pg_freespacemap | ||
pg_standby | ||
pg_stat_statements | ||
pg_test_fsync | ||
pg_test_timing | ||
pg_trgm | ||
pg_upgrade | ||
pg_upgrade_support | ||
pgbench | ||
pgcrypto | ||
pgrowlocks | ||
pgstattuple | ||
seg | ||
sepgsql | ||
spi | ||
sslinfo | ||
start-scripts | ||
tablefunc | ||
tcn | ||
test_parser | ||
tsearch2 | ||
unaccent | ||
uuid-ossp | ||
vacuumlo | ||
xml2 | ||
contrib-global.mk | ||
Makefile | ||
README |
The PostgreSQL contrib tree --------------------------- This subtree contains porting tools, analysis utilities, and plug-in features that are not part of the core PostgreSQL system, mainly because they address a limited audience or are too experimental to be part of the main source tree. This does not preclude their usefulness. User documentation for each module appears in the main SGML documentation. When building from the source distribution, these modules are not built automatically, unless you build the "world" target. You can also build and install them all by running "gmake all" and "gmake install" in this directory; or to build and install just one selected module, do the same in that module's subdirectory. Some directories supply new user-defined functions, operators, or types. To make use of one of these modules, after you have installed the code you need to register the new SQL objects in the database system by executing a CREATE EXTENSION command. In a fresh database, you can simply do CREATE EXTENSION module_name; See the PostgreSQL documentation for more information about this procedure.