Prevent path traversal in pg_basebackup and pg_rewind pg_rewind and pg_basebackup could be fed paths from rogue endpoints that could overwrite the contents of the client when received, achieving path traversal.
There were two areas in the tree that were sensitive to this problem: - pg_basebackup, through the astreamer code, where no validation was performed before building an output path when streaming tar data. This is an issue in v15 and newer versions. - pg_rewind file operations for paths received through libpq, for all the stable branches supported. In order to address this problem, this commit adds a helper function in path.c, that reuses path_is_relative_and_below_cwd() after applying canonicalize_path(). This can be used to validate the paths received from a connection point. A path is considered invalid if any of the two following conditions is satisfied: - The path is absolute. - The path includes a direct parent-directory reference. Reported-by: XlabAI Team of Tencent Xuanwu Lab Reported-by: Valery Gubanov <[email protected]> Author: Michael Paquier <[email protected]> Reviewed-by: Amit Kapila <[email protected]> Backpatch-through: 14 Security: CVE-2026-6475 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/8f881e188bba9e9d8d63ca0b42cb2597ba828e03 Author: Michael Paquier <[email protected]> Modified Files -------------- src/bin/pg_basebackup/bbstreamer_file.c | 12 ++++++++++++ src/bin/pg_basebackup/bbstreamer_tar.c | 3 +++ src/bin/pg_rewind/file_ops.c | 23 +++++++++++++++++++++++ src/include/port.h | 1 + src/port/path.c | 17 +++++++++++++++++ 5 files changed, 56 insertions(+)
