Odoo Server (MOVED TO GITHUB)

Merge lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections into lp:openobject-server/7.0

  1. 7.0-sanitize-db-connections
  2. Merge into 7.0
Proposed by Olivier Dony (Odoo)
Status: Work in progress
Proposed branch: lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections
Merge into: lp:openobject-server/7.0
Diff against target: 26 lines (+9/-1)
1 file modified
openerp/sql_db.py (+9/-1)
To merge this branch: bzr merge lp:~openerp-dev/openobject-server/7.0-sanitize-db-connections
Reviewer Review Type Date Requested Status
OpenERP Core Team Pending
Review via email: mp+164190@code.launchpad.net

Description of the change

Proof of concept of database names sanitization at the connection pool level. This would have the side effect of preventing trivial exploits of PostgreSQL's CVE-2013-1899 vulnerability on unpatched systems.

This works by enforcing an arbitrary pattern for allowed database names: ^[\w][\w.-]+

This is unlikely to be merged in 7.0 as it would constitute a backwards-incompatible change on an LTS version: connecting to databases that do not match this pattern would be impossible, even though the database may be legit and working. There is no easy way to detect exploit attempts accurately because the database names used for the exploit are technically valid database names that ought to be supported by PostgreSQL.

We could consider merging this in trunk, but it would be much less useful to prevent the exploit. If we do that, we should also take into account the performance hit of the extra regex check (the regex check is performed *very often* - usually more than once per incoming request). DSNs should probably be cached - they really only need to be computed once.

To post a comment you must log in.

Unmerged revisions

4976. By Olivier Dony (Odoo)

[FIX] sql_db: sanitize database names before connecting to them - prevents exploiting PostgreSQL CVE-2013-1899 vulnerability

The Database Manager screen enforces this pattern: ^[a-zA-Z][a-zA-Z0-9_-]+$
so we are just a bit less restrictive and allow leading numbers and
underscores for manually created databases.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'openerp/sql_db.py'
--- openerp/sql_db.py 2013-03-01 12:07:44 +0000
+++ openerp/sql_db.py 2013-05-16 14:06:50 +0000
@@ -496,13 +496,21 @@
496 except Exception:496 except Exception:
497 return False497 return False
498498
499# DB name sanitization, a.o. to prevent exploits of PostgreSQL
500# security vulnerability CVE-2013-1899
501# The Database Manager screen enforces this pattern: ^[a-zA-Z][a-zA-Z0-9_-]+$
502# so we're just a bit less restrictive and allow leading numbers and
503# underscores for manually created databases.
504VALID_DB_NAMES_EXPRESSION = re.compile(r'^[\w][\w.-]+')
505
499def dsn(db_name):506def dsn(db_name):
500 _dsn = ''507 _dsn = ''
501 for p in ('host', 'port', 'user', 'password'):508 for p in ('host', 'port', 'user', 'password'):
502 cfg = tools.config['db_' + p]509 cfg = tools.config['db_' + p]
503 if cfg:510 if cfg:
504 _dsn += '%s=%s ' % (p, cfg)511 _dsn += '%s=%s ' % (p, cfg)
505512 if not VALID_DB_NAMES_EXPRESSION.match(db_name):
513 raise ValueError('Unsupported database name: %r' % db_name)
506 return '%sdbname=%s' % (_dsn, db_name)514 return '%sdbname=%s' % (_dsn, db_name)
507515
508def dsn_are_equals(first, second):516def dsn_are_equals(first, second):