mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-12-21 08:29:39 +08:00
adc97d03b9
libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented "feature", it was long regarded as a terrible idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. While the ability to write as well as read makes this security hole considerably worse than CVE-2012-3489, the problem is mitigated by the fact that xslt_process() is not available unless contrib/xml2 is installed, and the longstanding warnings about security risks from that should have discouraged prudent DBAs from installing it in security-exposed databases. Reported and fixed by Peter Eisentraut. Security: CVE-2012-3488
225 lines
7.7 KiB
Plaintext
225 lines
7.7 KiB
Plaintext
CREATE EXTENSION xml2;
|
|
select query_to_xml('select 1 as x',true,false,'');
|
|
query_to_xml
|
|
---------------------------------------------------------------
|
|
<table xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">+
|
|
+
|
|
<row> +
|
|
<x>1</x> +
|
|
</row> +
|
|
+
|
|
</table> +
|
|
|
|
(1 row)
|
|
|
|
select xslt_process( query_to_xml('select x from generate_series(1,5) as
|
|
x',true,false,'')::text,
|
|
$$<xsl:stylesheet version="1.0"
|
|
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
|
<xsl:output method="xml" indent="yes" />
|
|
<xsl:template match="*">
|
|
<xsl:copy>
|
|
<xsl:copy-of select="@*" />
|
|
<xsl:apply-templates />
|
|
</xsl:copy>
|
|
</xsl:template>
|
|
<xsl:template match="comment()|processing-instruction()">
|
|
<xsl:copy />
|
|
</xsl:template>
|
|
</xsl:stylesheet>
|
|
$$::text);
|
|
xslt_process
|
|
---------------------------------------------------------------
|
|
<?xml version="1.0"?> +
|
|
<table xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">+
|
|
+
|
|
<row> +
|
|
<x>1</x> +
|
|
</row> +
|
|
+
|
|
<row> +
|
|
<x>2</x> +
|
|
</row> +
|
|
+
|
|
<row> +
|
|
<x>3</x> +
|
|
</row> +
|
|
+
|
|
<row> +
|
|
<x>4</x> +
|
|
</row> +
|
|
+
|
|
<row> +
|
|
<x>5</x> +
|
|
</row> +
|
|
+
|
|
</table> +
|
|
|
|
(1 row)
|
|
|
|
CREATE TABLE xpath_test (id integer NOT NULL, t xml);
|
|
INSERT INTO xpath_test VALUES (1, '<doc><int>1</int></doc>');
|
|
SELECT * FROM xpath_table('id', 't', 'xpath_test', '/doc/int', 'true')
|
|
as t(id int4);
|
|
id
|
|
----
|
|
(0 rows)
|
|
|
|
SELECT * FROM xpath_table('id', 't', 'xpath_test', '/doc/int', 'true')
|
|
as t(id int4, doc int4);
|
|
id | doc
|
|
----+-----
|
|
1 | 1
|
|
(1 row)
|
|
|
|
DROP TABLE xpath_test;
|
|
CREATE TABLE xpath_test (id integer NOT NULL, t text);
|
|
INSERT INTO xpath_test VALUES (1, '<doc><int>1</int></doc>');
|
|
SELECT * FROM xpath_table('id', 't', 'xpath_test', '/doc/int', 'true')
|
|
as t(id int4);
|
|
id
|
|
----
|
|
(0 rows)
|
|
|
|
SELECT * FROM xpath_table('id', 't', 'xpath_test', '/doc/int', 'true')
|
|
as t(id int4, doc int4);
|
|
id | doc
|
|
----+-----
|
|
1 | 1
|
|
(1 row)
|
|
|
|
create table articles (article_id integer, article_xml xml, date_entered date);
|
|
insert into articles (article_id, article_xml, date_entered)
|
|
values (2, '<article><author>test</author><pages>37</pages></article>', now());
|
|
SELECT * FROM
|
|
xpath_table('article_id',
|
|
'article_xml',
|
|
'articles',
|
|
'/article/author|/article/pages|/article/title',
|
|
'date_entered > ''2003-01-01'' ')
|
|
AS t(article_id integer, author text, page_count integer, title text);
|
|
article_id | author | page_count | title
|
|
------------+--------+------------+-------
|
|
2 | test | 37 |
|
|
(1 row)
|
|
|
|
-- this used to fail when invoked a second time
|
|
select xslt_process('<aaa/>',$$<xsl:stylesheet version="1.0"
|
|
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
|
<xsl:template match="@*|node()">
|
|
<xsl:copy>
|
|
<xsl:apply-templates select="@*|node()"/>
|
|
</xsl:copy>
|
|
</xsl:template>
|
|
</xsl:stylesheet>$$)::xml;
|
|
xslt_process
|
|
--------------
|
|
<aaa/> +
|
|
|
|
(1 row)
|
|
|
|
select xslt_process('<aaa/>',$$<xsl:stylesheet version="1.0"
|
|
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
|
<xsl:template match="@*|node()">
|
|
<xsl:copy>
|
|
<xsl:apply-templates select="@*|node()"/>
|
|
</xsl:copy>
|
|
</xsl:template>
|
|
</xsl:stylesheet>$$)::xml;
|
|
xslt_process
|
|
--------------
|
|
<aaa/> +
|
|
|
|
(1 row)
|
|
|
|
create table t1 (id integer, xml_data xml);
|
|
insert into t1 (id, xml_data)
|
|
values
|
|
(1, '<attributes><attribute name="attr_1">Some
|
|
Value</attribute></attributes>');
|
|
create index idx_xpath on t1 ( xpath_string
|
|
('/attributes/attribute[@name="attr_1"]/text()', xml_data::text));
|
|
SELECT xslt_process('<employee><name>cim</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
|
|
<xsl:output method="xml" omit-xml-declaration="yes" indent="yes"/>
|
|
<xsl:strip-space elements="*"/>
|
|
<xsl:param name="n1"/>
|
|
<xsl:param name="n2"/>
|
|
<xsl:param name="n3"/>
|
|
<xsl:param name="n4"/>
|
|
<xsl:param name="n5" select="'me'"/>
|
|
<xsl:template match="*">
|
|
<xsl:element name="samples">
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n1"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n2"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n3"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n4"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n5"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n6"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n7"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n8"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n9"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n10"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n11"/>
|
|
</xsl:element>
|
|
<xsl:element name="sample">
|
|
<xsl:value-of select="$n12"/>
|
|
</xsl:element>
|
|
</xsl:element>
|
|
</xsl:template>
|
|
</xsl:stylesheet>$$::text, 'n1="v1",n2="v2",n3="v3",n4="v4",n5="v5",n6="v6",n7="v7",n8="v8",n9="v9",n10="v10",n11="v11",n12="v12"'::text);
|
|
xslt_process
|
|
------------------------
|
|
<samples> +
|
|
<sample>v1</sample> +
|
|
<sample>v2</sample> +
|
|
<sample>v3</sample> +
|
|
<sample>v4</sample> +
|
|
<sample>v5</sample> +
|
|
<sample>v6</sample> +
|
|
<sample>v7</sample> +
|
|
<sample>v8</sample> +
|
|
<sample>v9</sample> +
|
|
<sample>v10</sample>+
|
|
<sample>v11</sample>+
|
|
<sample>v12</sample>+
|
|
</samples> +
|
|
|
|
(1 row)
|
|
|
|
-- possible security exploit
|
|
SELECT xslt_process('<xml><foo>Hello from XML</foo></xml>',
|
|
$$<xsl:stylesheet version="1.0"
|
|
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
|
|
xmlns:sax="http://icl.com/saxon"
|
|
extension-element-prefixes="sax">
|
|
|
|
<xsl:template match="//foo">
|
|
<sax:output href="0wn3d.txt" method="text">
|
|
<xsl:value-of select="'0wn3d via xml2 extension and libxslt'"/>
|
|
<xsl:apply-templates/>
|
|
</sax:output>
|
|
</xsl:template>
|
|
</xsl:stylesheet>$$);
|
|
ERROR: failed to apply stylesheet
|