psql \restrict

[Peter]

Zdravim,

dnes som si vo vystupe pg_dump vsimol zaujimavost: zacina meta commandom \restrict a konci \unrestrict. Vyzera to na novu feature 17.6 + backport az po verziu 13.

Enter "restricted" mode with the provided key. In this mode, the only allowed meta-command is \unrestrict, to exit restricted.
https://www.postgresql.org/docs/17/app-psql.html#APP-PSQL-META-COMMAND-RESTRICT

Release Notes:

Prevent pg_dump scripts from being used to attack the user running the restore (Nathan Bossart) §

Since dump/restore operations typically involve running SQL commands as superuser, the target database installation must trust the source server. However, it does not follow that the operating system user who executes psql to perform the restore should have to trust the source server. The risk here is that an attacker who has gained superuser-level control over the source server might be able to cause it to emit text that would be interpreted as psql meta-commands. That would provide shell-level access to the restoring user's own account, independently of access to the target database.

To provide a positive guarantee that this can't happen, extend psql with a \restrict command that prevents execution of further meta-commands, and teach pg_dump to issue that before any data coming from the source server.

The PostgreSQL Project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK for reporting this problem. (CVE-2025-8714)

https://www.postgresql.org/docs/release/17.6/

.pl.