Fix bug that allowed any logged-in user to SET ROLE to any other database user

id (CVE-2006-0553). Also fix related bug in SET SESSION AUTHORIZATION that allows unprivileged users to crash the server, if it has been compiled with Asserts enabled. The escalation-of-privilege risk exists only in 8.1.0-8.1.2. However, the Assert-crash risk exists in all releases back to 7.3. Thanks to Akio Ishida for reporting this problem.
2025-07-02 09:02:37 +03:00 · 2006-02-12 22:32:43 +00:00
parent 2a5180c26e
commit 226a980bb0
4 changed files with 22 additions and 11 deletions
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@ -9,7 +9,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.115 2005/11/22 18:17:10 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.116 2006/02/12 22:32:42 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -586,7 +586,9 @@ assign_client_encoding(const char *value, bool doit, GucSource source)
 * by the numeric oid, followed by a comma, followed by the role name.
 * This cannot be confused with a plain role name because of the NAMEDATALEN
 * limit on names, so we can tell whether we're being passed an initial
- * role name or a saved/restored value.
+ * role name or a saved/restored value.  (NOTE: we rely on guc.c to have
+ * properly truncated any incoming value, but not to truncate already-stored
+ * values.  See GUC_IS_NAME processing.)
 */
 extern char *session_authorization_string;		/* in guc.c */