1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-07 00:36:50 +03:00

Fix bug in SET SESSION AUTHORIZATION that allows unprivileged users to crash

the server, if it has been compiled with Asserts enabled (CVE-2006-0553).
Thanks to Akio Ishida for reporting this problem.
This commit is contained in:
Tom Lane
2006-02-12 22:33:47 +00:00
parent da91fde3e8
commit 118f54d06d
3 changed files with 22 additions and 7 deletions

View File

@ -9,7 +9,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.71.2.3 2005/06/05 01:49:06 tgl Exp $ * $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.71.2.4 2006/02/12 22:33:46 tgl Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -532,6 +532,8 @@ show_server_encoding(void)
* that can be re-used directly. We store the string in the form of * that can be re-used directly. We store the string in the form of
* NAMEDATALEN 'x's followed by the numeric userid --- this cannot conflict * NAMEDATALEN 'x's followed by the numeric userid --- this cannot conflict
* with any valid user name, because of the NAMEDATALEN limit on names. * with any valid user name, because of the NAMEDATALEN limit on names.
* (NOTE: we rely on guc.c to have properly truncated any incoming value,
* but not to truncate already-stored values. See GUC_IS_NAME processing.)
*/ */
const char * const char *
assign_session_authorization(const char *value, bool doit, bool interactive) assign_session_authorization(const char *value, bool doit, bool interactive)

View File

@ -2,7 +2,7 @@
* Encoding names and routines for work with it. All * Encoding names and routines for work with it. All
* in this file is shared bedween FE and BE. * in this file is shared bedween FE and BE.
* *
* $Id: encnames.c,v 1.10.2.1 2002/12/09 17:45:17 momjian Exp $ * $Id: encnames.c,v 1.10.2.2 2006/02/12 22:33:47 tgl Exp $
*/ */
#ifdef FRONTEND #ifdef FRONTEND
#include "postgres_fe.h" #include "postgres_fe.h"
@ -436,7 +436,7 @@ pg_char_to_encname_struct(const char *name)
if (name == NULL || *name == '\0') if (name == NULL || *name == '\0')
return NULL; return NULL;
if (strlen(name) > NAMEDATALEN) if (strlen(name) >= NAMEDATALEN)
{ {
#ifdef FRONTEND #ifdef FRONTEND
fprintf(stderr, "pg_char_to_encname_struct(): encoding name too long"); fprintf(stderr, "pg_char_to_encname_struct(): encoding name too long");

View File

@ -5,7 +5,7 @@
* command, configuration file, and command line options. * command, configuration file, and command line options.
* See src/backend/utils/misc/README for more information. * See src/backend/utils/misc/README for more information.
* *
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.99.2.5 2003/04/04 00:32:57 tgl Exp $ * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.99.2.6 2006/02/12 22:33:47 tgl Exp $
* *
* Copyright 2000 by PostgreSQL Global Development Group * Copyright 2000 by PostgreSQL Global Development Group
* Written by Peter Eisentraut <peter_e@gmx.net>. * Written by Peter Eisentraut <peter_e@gmx.net>.
@ -170,6 +170,7 @@ struct config_generic
#define GUC_LIST_QUOTE 0x0002 /* double-quote list elements */ #define GUC_LIST_QUOTE 0x0002 /* double-quote list elements */
#define GUC_NO_SHOW_ALL 0x0004 /* exclude from SHOW ALL */ #define GUC_NO_SHOW_ALL 0x0004 /* exclude from SHOW ALL */
#define GUC_NO_RESET_ALL 0x0008 /* exclude from RESET ALL */ #define GUC_NO_RESET_ALL 0x0008 /* exclude from RESET ALL */
#define GUC_IS_NAME 0x0010 /* limit string to NAMEDATALEN-1 */
/* bit values in status field */ /* bit values in status field */
#define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */ #define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */
@ -736,7 +737,7 @@ static struct config_string
ConfigureNamesString[] = ConfigureNamesString[] =
{ {
{ {
{"client_encoding", PGC_USERSET}, &client_encoding_string, {"client_encoding", PGC_USERSET, GUC_IS_NAME}, &client_encoding_string,
"SQL_ASCII", assign_client_encoding, NULL "SQL_ASCII", assign_client_encoding, NULL
}, },
@ -799,7 +800,7 @@ static struct config_string
}, },
{ {
{"server_encoding", PGC_USERSET}, &server_encoding_string, {"server_encoding", PGC_USERSET, GUC_IS_NAME}, &server_encoding_string,
"SQL_ASCII", assign_server_encoding, show_server_encoding "SQL_ASCII", assign_server_encoding, show_server_encoding
}, },
@ -809,7 +810,7 @@ static struct config_string
}, },
{ {
{"session_authorization", PGC_USERSET, GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL}, {"session_authorization", PGC_USERSET, GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL},
&session_authorization_string, &session_authorization_string,
NULL, assign_session_authorization, show_session_authorization NULL, assign_session_authorization, show_session_authorization
}, },
@ -1907,6 +1908,18 @@ set_config_option(const char *name, const char *value,
elog(elevel, "out of memory"); elog(elevel, "out of memory");
return false; return false;
} }
/*
* The only sort of "parsing" check we need to do is
* apply truncation if GUC_IS_NAME.
*/
if (conf->gen.flags & GUC_IS_NAME)
{
int len;
len = pg_mbcliplen(newval, strlen(newval),
NAMEDATALEN-1);
newval[len] = '\0';
}
} }
else if (conf->reset_val) else if (conf->reset_val)
{ {