mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2025-01-12 18:34:36 +08:00
Code Issues Packages Projects Releases Wiki Activity
30,926 Commits 37 Branches 638 Tags 417 MiB
C 85.5%
PLpgSQL 5.9%
Perl 4.2%
Yacc 1.3%
Makefile 0.7%
Other 2.3%
ac7e13d6fc
Go to file
Tom Lane ac7e13d6fc Prevent access to external files/URLs via contrib/xml2's xslt_process(). 
libxslt offers the ability to read and write both files and URLs through
stylesheet commands, thus allowing unprivileged database users to both read
and write data with the privileges of the database server.  Disable that
through proper use of libxslt's security options.

Also, remove xslt_process()'s ability to fetch documents and stylesheets
from external files/URLs.  While this was a documented "feature", it was
long regarded as a terrible idea.  The fix for CVE-2012-3489 broke that
capability, and rather than expend effort on trying to fix it, we're just
going to summarily remove it.

While the ability to write as well as read makes this security hole
considerably worse than CVE-2012-3489, the problem is mitigated by the fact
that xslt_process() is not available unless contrib/xml2 is installed,
and the longstanding warnings about security risks from that should have
discouraged prudent DBAs from installing it in security-exposed databases.

Reported and fixed by Peter Eisentraut.

Security: CVE-2012-3488
2012-08-14 18:32:21 -04:00
config Don't reject threaded Python on FreeBSD. 2012-02-20 16:21:41 -05:00
contrib Prevent access to external files/URLs via contrib/xml2's xslt_process(). 2012-08-14 18:32:21 -04:00
doc Prevent access to external files/URLs via contrib/xml2's xslt_process(). 2012-08-14 18:32:21 -04:00
src Prevent access to external files/URLs via XML entity references. 2012-08-14 18:32:20 -04:00
.gitignore Convert cvsignore to gitignore, and add .gitignore for build targets. 2010-09-22 12:57:06 +02:00
aclocal.m4 Add new auto-detection of thread flags. 2004-04-23 18:15:55 +00:00
configure Stamp 9.0.8. 2012-05-31 19:09:35 -04:00
configure.in Stamp 9.0.8. 2012-05-31 19:09:35 -04:00
COPYRIGHT Update copyright for the year 2010. 2010-01-02 16:58:17 +00:00
GNUmakefile.in Back-patch replacement of README.CVS with README.git. 2010-09-21 14:42:58 -04:00
Makefile Add new make targets "world", "install-world" and "installcheck-world" to build, install and check just about everything. 2010-01-28 23:59:52 +00:00
README Point to our download URL, rather than listing interface in the README 2008-05-06 22:02:12 +00:00
README.git Back-patch replacement of README.CVS with README.git. 2010-09-21 14:42:58 -04:00

README 

PostgreSQL Database Management System
=====================================
  
This directory contains the source code distribution of the PostgreSQL
database management system.

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions, foreign keys, subqueries, triggers, user-defined types
and functions.  This distribution also contains C language bindings.

PostgreSQL has many language interfaces, many of which are listed here:

	http://www.postgresql.org/download

See the file INSTALL for instructions on how to build and install
PostgreSQL.  That file also lists supported operating systems and
hardware platforms and contains information regarding any other
software packages that are required to build or run the PostgreSQL
system.  Changes between all PostgreSQL releases are recorded in the
file HISTORY.  Copyright and license information can be found in the
file COPYRIGHT.  A comprehensive documentation set is included in this
distribution; it can be read as described in the installation
instructions.

The latest version of this software may be obtained at
http://www.postgresql.org/download/.  For more information look at our
web site located at http://www.postgresql.org/.