[pkg-bacula-devel] Bug#923511: Bug#923511: make_catalog_backup.pl doesn't sanitize $args{db_name}

[Sergio Gelato]

* Carsten Leonhardt [2019-03-03 18:59:06 +0100]:
> I've written a patch to base the filename on the catalog name as you
> suggested (although I'm not good at perl), but the script
> "delete_catalog_backup" needs to be changed too.

That's probably correct. I'm still using a modified version of
delete_catalog_backup.pl, which doesn't seem to be part of Debian any more,
and indeed I had to modify that accordingly.

The patch looks good. I'd probably have used tr/A-Za-z0-9_-//cd but that's
a matter of taste.

Another thing I've found out in testing is that some versions of libpq have
trouble with URIs in the PGDATABASE environment variable; this can be worked
around by invoking pg_dump with an explicit -d argument:

>      my %args = @_;
>      setup_env_pgsql(%args);
> -    exec("HOME='$wd' pg_dump -c > '$wd/$args{db_name}.sql'");
> +    exec("HOME='$wd' pg_dump -c -d '$args{db_name}' > '$wd/$dump_filename.sql'");
>      print "Error while executing postgres dump $!\n";
>      return 1;               # in case of error

The drawback, of course, is that the URI may include a password; so maybe
this is best left up to the local system administrator.

I'll see about reporting this to the PostgreSQL maintainers; the intent of
the source code seems to be that URIs should be valid in PGDATABASE,
so this looks like a bug. 9.6 is affected, not sure about other versions.