From d9b023c7bc73454402c34ef5dccb6acf100a606c Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Tue, 14 Aug 2012 18:28:53 -0400
Subject: Prevent access to external files/URLs via contrib/xml2's
xslt_process().
libxslt offers the ability to read and write both files and URLs through
stylesheet commands, thus allowing unprivileged database users to both read
and write data with the privileges of the database server. Disable that
through proper use of libxslt's security options.
Also, remove xslt_process()'s ability to fetch documents and stylesheets
from external files/URLs. While this was a documented "feature", it was
long regarded as a terrible idea. The fix for CVE-2012-3489 broke that
capability, and rather than expend effort on trying to fix it, we're just
going to summarily remove it.
While the ability to write as well as read makes this security hole
considerably worse than CVE-2012-3489, the problem is mitigated by the fact
that xslt_process() is not available unless contrib/xml2 is installed,
and the longstanding warnings about security risks from that should have
discouraged prudent DBAs from installing it in security-exposed databases.
Reported and fixed by Peter Eisentraut.
Security: CVE-2012-3488
---
doc/src/sgml/xml2.sgml | 8 --------
1 file changed, 8 deletions(-)
(limited to 'doc/src')
diff --git a/doc/src/sgml/xml2.sgml b/doc/src/sgml/xml2.sgml
index 51faaccd208..80a3a45bed2 100644
--- a/doc/src/sgml/xml2.sgml
+++ b/doc/src/sgml/xml2.sgml
@@ -394,14 +394,6 @@ WHERE t.author_id = p.person_id;
contain commas!
-
- Also note that if either the document or stylesheet values do not
- begin with a < then they will be treated as URLs and libxslt will
- fetch them. It follows that you can use xslt_process as a
- means to fetch the contents of URLs — you should be aware of the
- security implications of this.
-
-
There is also a two-parameter version of xslt_process which
does not pass any parameters to the transformation.
--
cgit v1.2.3