database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-24 00:23:06 +03:00
Code Activity

Empty search_path in Autovacuum and non-psql/pgbench clients.

Browse Source 
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects.  Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser.  This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".

This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump().  If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear.  Users may fix such errors
by schema-qualifying affected names.  After upgrading, consider watching
server logs for these errors.

The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint.  That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.

Back-patch to 9.3 (all supported versions).

Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.

Security: CVE-2018-1058
This commit is contained in:
Noah Misch
2018-02-26 07:39:44 -08:00
parent 3d2aed664e
commit 582edc369c
24 changed files with 338 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/bin/scripts/reindexdb.c
View File

@@ -282,23 +282,24 @@ reindex_one_database(const char *name, const char *dbname, const char *type,
PGconn *conn;
conn = connectDatabase(dbname, host, port, username, prompt_password,
progname, false, false);
progname, echo, false, false);
initPQExpBuffer(&sql);
appendPQExpBufferStr(&sql, "REINDEX");
appendPQExpBufferStr(&sql, "REINDEX ");
if (verbose)
appendPQExpBufferStr(&sql, " (VERBOSE)");
appendPQExpBufferStr(&sql, "(VERBOSE) ");
if (strcmp(type, "TABLE") == 0)
appendPQExpBuffer(&sql, " TABLE %s", name);
else if (strcmp(type, "INDEX") == 0)
appendPQExpBuffer(&sql, " INDEX %s", name);
appendPQExpBufferStr(&sql, type);
appendPQExpBufferChar(&sql, ' ');
if (strcmp(type, "TABLE") == 0 ||
strcmp(type, "INDEX") == 0)
appendQualifiedRelation(&sql, name, conn, progname, echo);
else if (strcmp(type, "SCHEMA") == 0)
appendPQExpBuffer(&sql, " SCHEMA %s", name);
appendPQExpBufferStr(&sql, name);
else if (strcmp(type, "DATABASE") == 0)
appendPQExpBuffer(&sql, " DATABASE %s", fmtId(PQdb(conn)));
appendPQExpBufferStr(&sql, fmtId(PQdb(conn)));
appendPQExpBufferChar(&sql, ';');
if (!executeMaintenanceCommand(conn, sql.data, echo))
@@ -335,7 +336,7 @@ reindex_all_databases(const char *maintenance_db,
int i;
conn = connectMaintenanceDatabase(maintenance_db, host, port, username,
prompt_password, progname);
prompt_password, progname, echo);
result = executeQuery(conn, "SELECT datname FROM pg_database WHERE datallowconn ORDER BY 1;", progname, echo);
PQfinish(conn);
@@ -372,7 +373,7 @@ reindex_system_catalogs(const char *dbname, const char *host, const char *port,
PQExpBufferData sql;
conn = connectDatabase(dbname, host, port, username, prompt_password,
progname, false, false);
progname, echo, false, false);
initPQExpBuffer(&sql);