Odoo Server (MOVED TO GITHUB)

Merge lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections into lp:openobject-server/7.0

  1. 7.0-sanitize-db-connections
  2. Merge into 7.0
Proposed by Olivier Dony (Odoo)
Status: Work in progress
Proposed branch: lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections
Merge into: lp:openobject-server/7.0
Diff against target: 26 lines (+9/-1)
1 file modified
openerp/sql_db.py (+9/-1)
To merge this branch: bzr merge lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections
Reviewer Review Type Date Requested Status
OpenERP Core Team Pending
Review via email: mp+164190@code.launchpad.net

Description of the change

Proof of concept of database names sanitization at the connection pool level. This would have the side effect of preventing trivial exploits of PostgreSQL's CVE-2013-1899 vulnerability on unpatched systems.

This works by enforcing an arbitrary pattern for allowed database names: ^[\w][\w.-]+

This is unlikely to be merged in 7.0 as it would constitute a backwards-incompatible change on an LTS version: connecting to databases that do not match this pattern would be impossible, even though the database may be legit and working. There is no easy way to detect exploit attempts accurately because the database names used for the exploit are technically valid database names that ought to be supported by PostgreSQL.

We could consider merging this in trunk, but it would be much less useful to prevent the exploit. If we do that, we should also take into account the performance hit of the extra regex check (the regex check is performed *very often* - usually more than once per incoming request). DSNs should probably be cached - they really only need to be computed once.

To post a comment you must log in.

Unmerged revisions

4976. By Olivier Dony (Odoo)

[FIX] sql_db: sanitize database names before connecting to them - prevents exploiting PostgreSQL CVE-2013-1899 vulnerability

The Database Manager screen enforces this pattern: ^[a-zA-Z][a-zA-Z0-9_-]+$
so we are just a bit less restrictive and allow leading numbers and
underscores for manually created databases.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'openerp/sql_db.py'
2--- openerp/sql_db.py 2013-03-01 12:07:44 +0000
3+++ openerp/sql_db.py 2013-05-16 14:06:50 +0000
4@@ -496,13 +496,21 @@
5 except Exception:
6 return False
7
8+# DB name sanitization, a.o. to prevent exploits of PostgreSQL
9+# security vulnerability CVE-2013-1899
10+# The Database Manager screen enforces this pattern: ^[a-zA-Z][a-zA-Z0-9_-]+$
11+# so we're just a bit less restrictive and allow leading numbers and
12+# underscores for manually created databases.
13+VALID_DB_NAMES_EXPRESSION = re.compile(r'^[\w][\w.-]+')
14+
15 def dsn(db_name):
16 _dsn = ''
17 for p in ('host', 'port', 'user', 'password'):
18 cfg = tools.config['db_' + p]
19 if cfg:
20 _dsn += '%s=%s ' % (p, cfg)
21-
22+ if not VALID_DB_NAMES_EXPRESSION.match(db_name):
23+ raise ValueError('Unsupported database name: %r' % db_name)
24 return '%sdbname=%s' % (_dsn, db_name)
25
26 def dsn_are_equals(first, second):