Обсуждение: Re: Bug#372115: Last security update of postgresql-contrib breaks database replication with DBMirror.pl
Hi PostgreSQL gurus, hi Olivier, Martin Pitt [2006-06-16 0:15 +0200]: > Upstream confirmed my reply in the last mail in [1]: the complete > escaping logic in DBMirror.pl is seriously screwew. > > [1] http://archives.postgresql.org/pgsql-bugs/2006-06/msg00065.php I finally found some time to debug this, and I think I found a better patch than the one you proposed. Mine is still hackish and is still a workaround around a proper quoting solution, but at least it repairs the parsing without introducing the \' quoting again. I consider this a band-aid patch to fix the recent security update. PostgreSQL gurus, would you consider applying this until a better solution is found for DBMirror.pl? Olivier, can you please confirm that the patch works for you, too? Thank you, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
Вложения
Martin Pitt <martin@piware.de> writes: > I finally found some time to debug this, and I think I found a better > patch than the one you proposed. Mine is still hackish and is still a > workaround around a proper quoting solution, but at least it repairs > the parsing without introducing the \' quoting again. Yeah, this is probably all right. My concerns about encoding vulnerabilities were likely overblown --- it would only be an issue if the mirror script were running with a non-ASCII-safe client encoding, which seems pretty unlikely. So this will do as a band aid. However, in looking through DBMirror.pl to try to understand what was going on, I immediately found several other bugs --- fails on field names containing double quotes, mirrorDelete fails to re-quote values, mirrorUpdate tries to use "field = null" where "field is null" would be correct, for example. I'm wondering whether this thing is really still used in practice, and whether we shouldn't be deprecating it in favor of Slony. As far as I can tell from the CVS logs, dbmirror per se hasn't been touched since 2004 --- all subsequent edits have been part of tree-wide changes. regards, tom lane
Your patch has been added to the PostgreSQL unapplied patches list at: http://momjian.postgresql.org/cgi-bin/pgpatches It will be applied as soon as one of the PostgreSQL committers reviews and approves it. --------------------------------------------------------------------------- Martin Pitt wrote: -- Start of PGP signed section. > Hi PostgreSQL gurus, hi Olivier, > > Martin Pitt [2006-06-16 0:15 +0200]: > > Upstream confirmed my reply in the last mail in [1]: the complete > > escaping logic in DBMirror.pl is seriously screwew. > > > > [1] http://archives.postgresql.org/pgsql-bugs/2006-06/msg00065.php > > I finally found some time to debug this, and I think I found a better > patch than the one you proposed. Mine is still hackish and is still a > workaround around a proper quoting solution, but at least it repairs > the parsing without introducing the \' quoting again. > > I consider this a band-aid patch to fix the recent security update. > PostgreSQL gurus, would you consider applying this until a better > solution is found for DBMirror.pl? > > Olivier, can you please confirm that the patch works for you, too? > > Thank you, > > Martin > > -- > Martin Pitt http://www.piware.de > Ubuntu Developer http://www.ubuntu.com > Debian Developer http://www.debian.org > > In a world without walls and fences, who needs Windows and Gates? [ Attachment, skipping... ] -- End of PGP section, PGP failed! -- Bruce Momjian bruce@momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
Patch applied. Thanks. Backpatched back to 7.3.X. --------------------------------------------------------------------------- Martin Pitt wrote: -- Start of PGP signed section. > Hi PostgreSQL gurus, hi Olivier, > > Martin Pitt [2006-06-16 0:15 +0200]: > > Upstream confirmed my reply in the last mail in [1]: the complete > > escaping logic in DBMirror.pl is seriously screwew. > > > > [1] http://archives.postgresql.org/pgsql-bugs/2006-06/msg00065.php > > I finally found some time to debug this, and I think I found a better > patch than the one you proposed. Mine is still hackish and is still a > workaround around a proper quoting solution, but at least it repairs > the parsing without introducing the \' quoting again. > > I consider this a band-aid patch to fix the recent security update. > PostgreSQL gurus, would you consider applying this until a better > solution is found for DBMirror.pl? > > Olivier, can you please confirm that the patch works for you, too? > > Thank you, > > Martin > > -- > Martin Pitt http://www.piware.de > Ubuntu Developer http://www.ubuntu.com > Debian Developer http://www.debian.org > > In a world without walls and fences, who needs Windows and Gates? [ Attachment, skipping... ] -- End of PGP section, PGP failed! -- Bruce Momjian bruce@momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +