Andrew Dunstan writes:
> On 11/29/2013 06:43 PM, Tom Lane wrote:
>> I've committed this patch. I added a make_native_path() call to fix the
>> slashes-versus-backslashes issue noted by Christian Ullrich, since that
>> was an easy one-line addition.
> I don't mind changing this, but IMNSHO it's n
On 11/29/2013 06:43 PM, Tom Lane wrote:
Rajeev rastogi writes:
OK. Then I am moving it to "ready for committer".
I've committed this patch. I added a make_native_path() call to fix the
slashes-versus-backslashes issue noted by Christian Ullrich, since that
was an easy one-line addition.
I
Rajeev rastogi writes:
> OK. Then I am moving it to "ready for committer".
I've committed this patch. I added a make_native_path() call to fix the
slashes-versus-backslashes issue noted by Christian Ullrich, since that
was an easy one-line addition. I didn't do anything about the
relative-path-
On 27 November 2013, Naoya Anzai wrote:
> Hi, Rajeev
>
> > > I tested the latest patch. My observation is:
> > > If we give relative data directory path while registering the
> > > service, then service start fails.
> > > But same works if the data directory is absolute path.
> > >
> > > Loo
Hi, Rajeev
> > I tested the latest patch. My observation is:
> > If we give relative data directory path while registering the
> > service, then service start fails.
> > But same works if the data directory is absolute path.
> >
> > Looks like an existing issue. May be we need to inte
On 25 November 2013, Rajeev Rastogi Wrote:
> > > One suggestion:
> > > Instead of using sizeof(cmdLine),
> > > a. Can't we use strlen (hence small 'for' loop).
> > > b. Or use memmove to move one byte.
> >
> > I looked at this patch a bit. I agree that we need to fix
> > pgwin32_CommandLine t
On 24 November 2013, Tom Lane Wrote:
> > One suggestion:
> > Instead of using sizeof(cmdLine),
> > a. Can't we use strlen (hence small 'for' loop).
> > b. Or use memmove to move one byte.
>
> I looked at this patch a bit. I agree that we need to fix
> pgwin32_CommandLine to double-quote
Rajeev rastogi writes:
> One suggestion:
> Instead of using sizeof(cmdLine),
> a. Can't we use strlen (hence small 'for' loop).
> b. Or use memmove to move one byte.
I looked at this patch a bit. I agree that we need to fix
pgwin32_CommandLine to double-quote the executable name, b
ON 11 November 2013, Naoya Anzai Wrote:
>>
>> Hi Amit,
>>
> > I have uploaded your patch for next commit fest, hope you can support
> > it if there is any feedback for your patch by reviewer/committer.
> Thanks! Okay, I will support you.
1. Patch applies cleanly to master HEAD.
2. No Compilatio
Hi Amit,
> I have uploaded your patch for next commit fest, hope you can support
> it if there is any feedback for your patch by reviewer/committer.
Thanks! Okay, I will support you.
Best Regards,
Naoya
> Hi Naoya,
>
> On Thu, Oct 31, 2013 at 5:42 PM, Robert Haas wrote:
> > On Thu, Oct 31, 201
Hi Naoya,
On Thu, Oct 31, 2013 at 5:42 PM, Robert Haas wrote:
> On Thu, Oct 31, 2013 at 1:44 AM, Asif Naeem wrote:
>> On Thu, Oct 31, 2013 at 10:17 AM, Amit Kapila
>> wrote:
>>>
>>> On Tue, Oct 29, 2013 at 12:46 PM, Naoya Anzai
>>> wrote:
>>> > Hi Sandeep
>>> >
>>> >> I think, you should chang
On Thu, Oct 31, 2013 at 1:44 AM, Asif Naeem wrote:
> On Thu, Oct 31, 2013 at 10:17 AM, Amit Kapila
> wrote:
>>
>> On Tue, Oct 29, 2013 at 12:46 PM, Naoya Anzai
>> wrote:
>> > Hi Sandeep
>> >
>> >> I think, you should change the subject line to "Unquoted service path
>> >> containing space is vu
Services are started with the system privileges. If somebody is able to
place that .exe in the specified directory, then it will be executed on
service start. So, yes, I too agree with Asif that it is an important issue
and should be fixed in the code at the earliest.
On Thu, Oct 31, 2013 at 11:1
On Thu, Oct 31, 2013 at 10:17 AM, Amit Kapila wrote:
> On Tue, Oct 29, 2013 at 12:46 PM, Naoya Anzai
> wrote:
> > Hi Sandeep
> >
> >> I think, you should change the subject line to "Unquoted service path
> containing space is vulnerable and can be exploited on Windows" to get the
> attention..
On Tue, Oct 29, 2013 at 12:46 PM, Naoya Anzai
wrote:
> Hi Sandeep
>
>> I think, you should change the subject line to "Unquoted service path
>> containing space is vulnerable and can be exploited on Windows" to get the
>> attention.. :)
> Thank you for advice!
> I'll try to post to pgsql-bugs
Hi Sandeep
> I think, you should change the subject line to "Unquoted service path
> containing space is vulnerable and can be exploited on Windows" to get the
> attention.. :)
Thank you for advice!
I'll try to post to pgsql-bugs again.
> BTW, in your case, the file "Program" should be an exe
Hi Naoya
I think, you should change the subject line to "Unquoted service path
containing space is vulnerable and can be exploited on Windows" to get the
attention.. :)
BTW, in your case, the file "Program" should be an exe and not just any
other file to exploit this vulnerability. Right?
On
Hi,Sandeep
Thanks.
Sorry, There was a mistake in what I said.
I said
> Not only "pg_ctl.exe" but "postgres.exe" also have the same problem.
but, to say it correctly,
"postgres.exe" does not have the problem.
Source that contains the problem is only "pg_ctl.c".
> So, this is not an instal
Yes. It should not be installer issue as installer is using pg_ctl to
register and run the service on Windows. Thanks.
Best Regards,
Muhammad Asif Naeem
On Tue, Oct 29, 2013 at 9:57 AM, Sandeep Thakkar <
sandeep.thak...@enterprisedb.com> wrote:
> So, this is not an installer issue. Is this bug
So, this is not an installer issue. Is this bug raised to the PostgreSQL
community? If yes, you should submit the patch there.
On Tue, Oct 29, 2013 at 6:23 AM, Naoya Anzai
wrote:
> Hi, Asif
>
> Thank you for providing my patch (pg_ctl.c.patch) to Sandeep on my behalf.
>
> > Good finding. I have
Hi, Asif
Thank you for providing my patch (pg_ctl.c.patch) to Sandeep on my behalf.
> Good finding. I have attached another version of patch
> (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of code
> changes, can you please take a look ?. Thanks.
I think your patch is not
Hi Sandeep,
PFA Naoya's patch (pg_ctl.c.patch).
Hi Naoya,
Good finding. I have attached another version of patch
(pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of
code changes, can you please take a look ?. Thanks.
Best Regards,
Asif Naeem
On Mon, Oct 28, 2013 at 4:46 PM
Hi Dave
We register the service using pg_ctl. When I manually executed the
following on the command prompt, I saw that the service path of the
registered service did not have the pg_ctl.exe path in quotes. May be it
should be handled in the pg_ctl code.
*c:\Users\Sandeep Thakkar\Documents>*"c:\Pr
Sandeep, can you look at this please? Thanks.
On Mon, Oct 28, 2013 at 8:18 AM, Asif Naeem wrote:
> It is related to windows unquoted service path vulnerability in the the
> installer that creates service path without quotes that make service.exe to
> look for undesirable path for executable.
>
>
It is related to windows unquoted service path vulnerability in the the
installer that creates service path without quotes that make service.exe to
look for undesirable path for executable.
postgresql-9.3 service path : C:/Users/asif/Desktop/Program
files/9.3/bin/pg_ctl.exe runservice -N "postgres
Hi, Asif.
Thank you for response.
> C:\Users\asif\Desktop\Program files\9.3>"bin\pg_ctl" -D
> "C:\Users\asif\Desktop\Program files\9.3\data1" -l logfile start
> server starting
This failure does not occur by the command line.
PostgreSQL needs to start by Windows Service.
Additiona
Hi Naoya,
I am not able to reproduce the problem. Do you mean pg windows service
installed by installer is not working or bin\pg_ctl binary is not accepting
spaces in the patch ?. Following worked for me i.e.
C:\Users\asif\Desktop\Program files\9.3>"bin\pg_ctl" -D
> "C:\Users\asif\Desktop\Program
Hi All,
I have found a case that PostgreSQL Service does not start.
When it happens, the following error appears.
"is not a valid Win32 application"
This failure occurs when the following conditions are true.
1. There is "postgres.exe" in any directory that contains a space,
such as "Progra
28 matches
Mail list logo
