From 26c953e3732150e8992f4d1ad3da703b9587e175 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Wed, 8 Mar 2000 01:46:47 +0000 Subject: [PATCH] Bruce and all: Here's a patch to fix the " '.' not allowed in db path" problem I ran into. I removed '.' from the set of illegial characters, but added backtick. I also included an explicit test for attempting include a reference to a parent dir. How that? Ross --- src/backend/utils/misc/database.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/backend/utils/misc/database.c b/src/backend/utils/misc/database.c index 21a9e522ec..05b32ac62e 100644 --- a/src/backend/utils/misc/database.c +++ b/src/backend/utils/misc/database.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/utils/misc/Attic/database.c,v 1.35 2000/01/26 05:57:28 momjian Exp $ + * $Header: /cvsroot/pgsql/src/backend/utils/misc/Attic/database.c,v 1.36 2000/03/08 01:46:47 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -83,22 +83,27 @@ ExpandDatabasePath(const char *dbpath) DataDir, SEP_CHAR, SEP_CHAR, dbpath); } - /* check for illegal characters in dbpath */ + /* check for illegal characters in dbpath + * these should really throw an error, shouldn't they? or else all callers + * need to test for NULL */ for(cp = buf; *cp; cp++) { /* The following characters will not be allowed anywhere in the database - path. (Do not include the slash here.) */ + path. (Do not include the slash or '.' here.) */ char illegal_dbpath_chars[] = "\001\002\003\004\005\006\007\010" "\011\012\013\014\015\016\017\020" "\021\022\023\024\025\026\027\030" "\031\032\033\034\035\036\037" - "'."; + "'`"; const char *cx; for (cx = illegal_dbpath_chars; *cx; cx++) if (*cp == *cx) return NULL; + /* don't allow access to parent dirs */ + if (strncmp(cp, "/../", 4) == 0 ) + return NULL ; } return pstrdup(buf); -- 2.11.0