Hello!!
Dilip Kumar <[email protected]> writes: > I would like to submit a patch to address a path traversal > vulnerability in pg_dump's directory format mode (-F d). Currently, > filenames listed in directory-format TOC files (toc.dat and > blobs_*.toc) are treated as trusted when reading an archive during a > restore. If an archive entry filename is maliciously modified to > contain path traversal elements (such as ..) or directory separators, > pg_restore can be tricked into reading files outside the intended > backup directory. The attached patch fixes this vulnerability. I was taking a look into the patch and, yes it works as expected, but I also manage to get the same result of a path traversal having a with a symlink as follow: blob_16388.dat -> ../../../../../../../etc/passwd Probably it could be worthy to add the symlink check with lstat() ? Regards, -- Jonathan Gonzalez V. EDB https://www.enterprisedb.com
