database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-20 15:22:23 +03:00
Code Activity

Restore PGREQUIRESSL recognition in libpq.

Browse Source 
Commit 65c3bf19fd moved handling of the,
already then, deprecated requiressl parameter into conninfo_storeval().
The default PGREQUIRESSL environment variable was however lost in the
change resulting in a potentially silent accept of a non-SSL connection
even when set.  Its documentation remained.  Restore its implementation.
Also amend the documentation to mark PGREQUIRESSL as deprecated for
those not following the link to requiressl.  Back-patch to 9.3, where
commit 65c3bf1 first appeared.

Behavior has been more complex when the user provides both deprecated
and non-deprecated settings.  Before commit 65c3bf1, libpq operated
according to the first of these found:

  requiressl=1
  PGREQUIRESSL=1
  sslmode=*
  PGSSLMODE=*

(Note requiressl=0 didn't override sslmode=*; it would only suppress
PGREQUIRESSL=1 or a previous requiressl=1.  PGREQUIRESSL=0 had no effect
whatsoever.)  Starting with commit 65c3bf1, libpq ignored PGREQUIRESSL,
and order of precedence changed to this:

  last of requiressl=* or sslmode=*
  PGSSLMODE=*

Starting now, adopt the following order of precedence:

  last of requiressl=* or sslmode=*
  PGSSLMODE=*
  PGREQUIRESSL=1

This retains the 65c3bf1 behavior for connection strings that contain
both requiressl=* and sslmode=*.  It retains the 65c3bf1 change that
either connection string option overrides both environment variables.
For the first time, PGSSLMODE has precedence over PGREQUIRESSL; this
avoids reducing security of "PGREQUIRESSL=1 PGSSLMODE=verify-full"
configurations originating under v9.3 and later.

Daniel Gustafsson

Security: CVE-2017-7485
This commit is contained in:
Noah Misch
2017-05-08 07:24:24 -07:00
parent 74cadeaa2f
commit 0170b10dff
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/src/sgml/libpq.sgml
View File

@ -7061,6 +7061,9 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
</indexterm>
<envar>PGREQUIRESSL</envar> behaves the same as the <xref
linkend="libpq-connect-requiressl"> connection parameter.
This environment variable is deprecated in favor of the
<envar>PGSSLMODE</envar> variable; setting both variables suppresses the
effect of this one.
</para>
</listitem>