|
|
|
|
|
|
by masklinn
4821 days ago
|
|
|
Nope. Looking at the release notes: > Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi) So I assume command-line switch parsing is somehow involved in parsing the connection string (probably because the same connection strings can be used from API and from CLI?), I guess a database name with a leading `-` can be interpreted as a switch and execute corrupting commands. edit: according to the dedicated FAQ: > The vulnerability allows users to use a command-line switch for a PostgreSQL connection intended for single-user recovery mode while PostgreSQL is running in normal, multiuser mode. This can be used to harm the server. |
|
|