PostgeSQL to Deny COPY...PROGRAM Vulnerability

Developers state that CVE-2019-9193 is not a vulnerability at all
05 April 2019   803

In response to the news based on the CVE-2019-9193 vulnerability report, PostgreSQL developers have published a refutation. CVE-2019-9193 is being presented by some analysts as a critical remotely exploited problem, which in the default configuration, through manipulations with the COPY TO / FROM PROGRAM construct, executes arbitrary code with user rights under which the DBMS is running. As reported, these statements do not correspond to reality, the problem described is contrived and CVE-2019-9193 is in fact not a vulnerability. The vulnerability identifier CVE-2019-9193 was issued by mistake.

We encourage all users of PostgreSQL to follow the best practice that is to never grant superuser access to remote or otherwise untrusted users. This is a standard security operating procedure that is followed in system administration and extends to database administration as well.
 

PostgreSQL Team

The construction of "COPY TO / FROM PROGRAM" is a regular functionality that is available only to a user with administrative rights (superuser) or with the explicit delegation of the authority "pg_execute_server_program". Contrary to statements in publications, the pg_read_server_files and pg_write_server_files rights granted by default do not grant authority to execute the COPY..PROGRAM construct. Regular DBMS users do not have the ability to run handlers using the "COPY TO / FROM PROGRAM", and the administrator does not need to break into his own environment in which the database is running and which already has full access (the database administrator has the authority of the user under which PostgreSQL is running).

Ruby/RoR News Digest 9-15.11

The delegation challenge of Ruby 2.7, feedback about writing own Ruby book, testing at scale at Stripe podcast and even more
15 November 2019   152

Greetings! I hope your week went great! Here's new "gemmy" programming news digest.

Learn how to handle attachmens in Action Text in Rails 6, download large Heroku Postgres backup, check the update of Tomo and more.

Guides

  • Handling Attachments in Action Text in Rails 6 

Second part of the Action Text tutorial that focuses on blocking files by type, how files are rendered, and previewing PDFs.

  • Downloading Large Heroku Postgres Backups

Learn how to download big Heroke postgres backups in a proper and convenient way.

Articles

  • The Delegation Challenge of Ruby 2.7 

This is a somewhat odd situation where a change to arguments changes delegation so things are handled differently in Ruby 2.6, 2.7, and 3.0. It’s a tough nut to crack and a great example of language design related edge cases.

  • Feedback About Writing A Technical Ruby Book 

Author’s experience writing a book about programming.

Updates

  • Tomo

A "friendly" command-line tool for deploying Rails apps

  • Strings::Case

This solution allows you to convert strings between different cases

  • Reek

It will detect your code's smell, whatever that means

  • Invisible Captcha

Spam protector for Rails apps

Video

  • Testing Active Job in Ruby on Rails

Podcast

  • Discussing Testing at Scale at Stripe

In 48 minute interview, Nelson Elhage who spent 7 years at Stripe spearheading developer productivity initiatives, shares what he learnt and digs into why Stripe created the Sorbet Ruby type checker.