From 6e58c8f3fa04a08e046c7b2e5d74b1d870d0c78d Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 4 Sep 2007 02:16:56 +0000 Subject: [PATCH] Restrict tsearch config file base names to contain a-z, 0-9, and underscore, instead of the initial policy of whatever isalpha() likes. Per discussion. --- src/backend/tsearch/ts_utils.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/backend/tsearch/ts_utils.c b/src/backend/tsearch/ts_utils.c index b320faa0ef..2665bfa5a3 100644 --- a/src/backend/tsearch/ts_utils.c +++ b/src/backend/tsearch/ts_utils.c @@ -38,22 +38,22 @@ get_tsearch_config_filename(const char *basename, { char sharepath[MAXPGPATH]; char *result; - const char *p; /* - * We enforce that the basename is all alpha characters. This may be - * overly restrictive, but we don't want to allow access to anything + * We limit the basename to contain a-z, 0-9, and underscores. This may + * be overly restrictive, but we don't want to allow access to anything * outside the tsearch_data directory, so for instance '/' *must* be - * rejected. This is the same test used for timezonesets names. + * rejected, and on some platforms '\' and ':' are risky as well. + * Allowing uppercase might result in incompatible behavior between + * case-sensitive and case-insensitive filesystems, and non-ASCII + * characters create other interesting risks, so on the whole a tight + * policy seems best. */ - for (p = basename; *p; p++) - { - if (!isalpha((unsigned char) *p)) - ereport(ERROR, - (errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("invalid text search configuration file name \"%s\"", - basename))); - } + if (strspn(basename, "abcdefghijklmnopqrstuvwxyz0123456789_") != strlen(basename)) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("invalid text search configuration file name \"%s\"", + basename))); get_share_path(my_exec_path, sharepath); result = palloc(MAXPGPATH); -- 2.39.5