upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-05-21 09:48:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
Base de données relationnelle
62348 commits 38 branches 684 tags 869 MiB
C 84.4%
PLpgSQL 6.2%
Perl 5%
Yacc 1.2%
Meson 0.7%
Other 2.4%
Find a file
Michael Paquier 6a67c540a6 Prevent path traversal in pg_basebackup and pg_rewind 
pg_rewind and pg_basebackup could be fed paths from rogue endpoints that
could overwrite the contents of the client when received, achieving path
traversal.

There were two areas in the tree that were sensitive to this problem:
- pg_basebackup, through the astreamer code, where no validation was
performed before building an output path when streaming tar data.  This
is an issue in v15 and newer versions.
- pg_rewind file operations for paths received through libpq, for all
the stable branches supported.

In order to address this problem, this commit adds a helper function in
path.c, that reuses path_is_relative_and_below_cwd() after applying
canonicalize_path().  This can be used to validate the paths received
from a connection point.  A path is considered invalid if any of the two
following conditions is satisfied:
- The path is absolute.
- The path includes a direct parent-directory reference.

Reported-by: XlabAI Team of Tencent Xuanwu Lab
Reported-by: Valery Gubanov <valerygubanov95@gmail.com>
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Amit Kapila <amit.kapila16@gmail.com>
Backpatch-through: 14
Security: CVE-2026-6475
2026-05-11 05:13:48 -07:00
.github Add CODE_OF_CONDUCT.md, CONTRIBUTING.md, and SECURITY.md. 2024-07-02 13:03:58 -05:00
config Allow PG_PRINTF_ATTRIBUTE to be different in C and C++ code. 2026-02-25 11:57:26 -05:00
contrib Guard against overflow in "left" fields of query_int and ltxtquery. 2026-05-11 05:13:47 -07:00
doc First-draft release notes for 18.4. 2026-05-08 14:13:13 -04:00
src Prevent path traversal in pg_basebackup and pg_rewind 2026-05-11 05:13:48 -07:00
.abi-compliance-history Update .abi-compliance-history for AddRelationNotNullConstraints(). 2026-02-21 13:08:44 +01:00
.cirrus.star ci: Simplify ci-os-only handling 2025-08-14 12:09:53 -04:00
.cirrus.tasks.yml Fix typo 2026-01-07 15:48:45 +01:00
.cirrus.yml ci: Per-repo configuration for manually trigger tasks 2025-08-14 11:33:44 -04:00
.dir-locals.el Make Emacs perl-mode indent more like perltidy. 2019-01-13 11:32:31 -08:00
.editorconfig Add script to keep .editorconfig in sync with .gitattributes 2025-02-01 10:09:45 +01:00
.git-blame-ignore-revs Add previous commit to .git-blame-ignore-revs. 2025-10-21 10:02:19 -05:00
.gitattributes Fix git whitespace warning 2025-08-15 10:32:22 +02:00
.gitignore Update top-level .gitignore. 2022-12-04 15:23:00 -05:00
.mailmap Add a Git .mailmap file 2024-11-05 13:56:02 +01:00
aclocal.m4 autoconf: Move export_dynamic determination to configure 2022-12-06 18:55:28 -08:00
configure Allow PG_PRINTF_ATTRIBUTE to be different in C and C++ code. 2026-02-25 11:57:26 -05:00
configure.ac Allow PG_PRINTF_ATTRIBUTE to be different in C and C++ code. 2026-02-25 11:57:26 -05:00
COPYRIGHT Update copyright for 2026 2026-01-01 13:24:10 -05:00
GNUmakefile.in Allow selecting the git revision to be packaged by "make dist". 2024-05-03 11:08:50 -04:00
HISTORY Canonicalize some URLs 2020-02-10 20:47:50 +01:00
Makefile Adapt REL_18_STABLE to its new status as a stable branch 2025-06-29 23:00:00 -04:00
meson.build Allow PG_PRINTF_ATTRIBUTE to be different in C and C++ code. 2026-02-25 11:57:26 -05:00
meson_options.txt Add support for basic NUMA awareness 2025-04-07 23:08:17 +02:00
README.md Adapt REL_18_STABLE to its new status as a stable branch 2025-06-29 23:00:00 -04:00

README.md

PostgreSQL Database Management System

This directory contains the source code distribution of the PostgreSQL database management system.

PostgreSQL is an advanced object-relational database management system that supports an extended subset of the SQL standard, including transactions, foreign keys, subqueries, triggers, user-defined types and functions. This distribution also contains C language bindings.

Copyright and license information can be found in the file COPYRIGHT.

General documentation about this version of PostgreSQL can be found at https://www.postgresql.org/docs/18/. In particular, information about building PostgreSQL from the source code can be found at https://www.postgresql.org/docs/18/installation.html.

The latest version of this software, and related software, may be obtained at https://www.postgresql.org/download/. For more information look at our web site located at https://www.postgresql.org/.