public inbox for [email protected]
help / color / mirror / Atom feedHow to use \restrict or \unrestirct in python
3+ messages / 3 participants
[nested] [flat]
* How to use \restrict or \unrestirct in python
@ 2025-09-15 07:16 ma lz <[email protected]>
2025-09-15 12:32 ` Re: How to use \restrict or \unrestirct in python David G. Johnston <[email protected]>
2025-09-15 14:17 ` Re: How to use \restrict or \unrestirct in python Adrian Klaver <[email protected]>
0 siblings, 2 replies; 3+ messages in thread
From: ma lz @ 2025-09-15 07:16 UTC (permalink / raw)
To: [email protected] <[email protected]>
To fix CVE-2025-8714, PG introduce \restrict , but if we use python ( like psycopg2), it does not support slash command.
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: How to use \restrict or \unrestirct in python
2025-09-15 07:16 How to use \restrict or \unrestirct in python ma lz <[email protected]>
@ 2025-09-15 12:32 ` David G. Johnston <[email protected]>
1 sibling, 0 replies; 3+ messages in thread
From: David G. Johnston @ 2025-09-15 12:32 UTC (permalink / raw)
To: ma lz <[email protected]>; +Cc: [email protected] <[email protected]>
On Monday, September 15, 2025, ma lz <[email protected]> wrote:
> To fix CVE-2025-8714, PG introduce \restrict , but if we use python ( like
> psycopg2), it does not support slash command.
>
Great, then you are unaffected by the CVE that targets the psql application.
David J.
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: How to use \restrict or \unrestirct in python
2025-09-15 07:16 How to use \restrict or \unrestirct in python ma lz <[email protected]>
@ 2025-09-15 14:17 ` Adrian Klaver <[email protected]>
1 sibling, 0 replies; 3+ messages in thread
From: Adrian Klaver @ 2025-09-15 14:17 UTC (permalink / raw)
To: ma lz <[email protected]>; [email protected] <[email protected]>
On 9/15/25 00:16, ma lz wrote:
> To fix CVE-2025-8714, PG introduce \restrict , but if we use python
> ( like psycopg2), it does not support slash command.
The backslash commands are specific to psql:
https://www.postgresql.org/docs/current/app-psql.html
Per the release notes:
https://www.postgresql.org/docs/current/release-17-6.html
"
Since dump/restore operations typically involve running SQL commands as
superuser, the target database installation must trust the source
server. However, it does not follow that the operating system user who
executes psql to perform the restore should have to trust the source
server. The risk here is that an attacker who has gained superuser-level
control over the source server might be able to cause it to emit text
that would be interpreted as psql meta-commands. That would provide
shell-level access to the restoring user's own account, independently of
access to the target database.
To provide a positive guarantee that this can't happen, extend psql with
a \restrict command that prevents execution of further meta-commands,
and teach pg_dump to issue that before any data coming from the source
server.
"
psycopg2/psycopg uses the same underlying library, libpq, as psql but
psycopg does not support backslash commands. Therefore is cannot execute
them directly in the manner explained above. Python in general can
execute them indirectly by using something like:
subprocess.check_output()
to execute psql -f some_text_dump_file. It would be up to you to verify
what is in the the dump file.
--
Adrian Klaver
[email protected]
^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2025-09-15 14:17 UTC | newest]
Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-09-15 07:16 How to use \restrict or \unrestirct in python ma lz <[email protected]>
2025-09-15 12:32 ` David G. Johnston <[email protected]>
2025-09-15 14:17 ` Adrian Klaver <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox