[pkg-bacula-devel] Bug#923511: make_catalog_backup.pl doesn't sanitize $args{db_name}
Sergio Gelato
Sergio.Gelato at astro.su.se
Fri Mar 1 08:38:14 GMT 2019
Package: bacula-director
Version: 7.4.4+dfsg-6
(Bug still present in latest upstream release.)
/etc/bacula/scripts/make_catalog_backup.pl uses a temporary file with a name
based on $args{db_name}. This fails if the database name contains / characters,
as it well might if it is a URI like
postgresql://host/db?sslmode=verify-full&sslrootcert=/etc/ssl/certs/host-ca.crt
(Aside: forcing TLS server certificate validation is my actual reason for
using a PostgreSQL connection string as the database name in the Bacula
configuration. It works, and may be worth documenting in the Bacula manual;
or Bacula could be enhanced to pass connection options in some other way.
Such wishlist items are not what the present bug report is about; I mention
them only for context.)
I'm planning to base the file name on the catalog name instead, though I
suppose even that might conceivably contain forbidden characters in some
installations.
More information about the pkg-bacula-devel
mailing list