Abandon the use of Perl's Safe.pm to enforce restrictions in plperl, as it is

fundamentally insecure. Instead apply an opmask to the whole interpreter that imposes restrictions on unsafe operations. These restrictions are much harder to subvert than is Safe.pm, since there is no container to be broken out of. Backported to release 7.4. In releases 7.4, 8.0 and 8.1 this also includes the necessary backporting of the two interpreters model for plperl and plperlu adopted in release 8.2. In versions 8.0 and up, the use of Perl's POSIX module to undo its locale mangling on Windows has become insecure with these changes, so it is replaced by our own routine, which is also faster. Nice side effects of the changes include that it is now possible to use perl's "strict" pragma in a natural way in plperl, and that perl's $a and $b variables now work as expected in sort routines, and that function compilation is significantly faster. Tim Bunce and Andrew Dunstan, with reviews from Alex Hunsaker and Alexey Klyukin. Security: CVE-2010-1169
2025-07-30 11:03:19 +03:00 · 2010-05-13 16:43:41 +00:00
parent ffba89a9bb
commit 68e621bfa4
8 changed files with 713 additions and 218 deletions
--- a/doc/src/sgml/plperl.sgml
+++ b/doc/src/sgml/plperl.sgml
@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/plperl.sgml,v 2.49.2.1 2006/05/30 12:32:37 momjian Exp $
+$PostgreSQL: pgsql/doc/src/sgml/plperl.sgml,v 2.49.2.2 2010/05/13 16:43:40 adunstan Exp $
 -->

 <chapter id="plperl">
@ -275,12 +275,7 @@ SELECT * FROM perl_set();
 <programlisting>
 use strict;
 </programlisting>
-   in the function body.  But this only works in <application>PL/PerlU</>
-   functions, since <literal>use</> is not a trusted operation.  In
-   <application>PL/Perl</> functions you can instead do
-<programlisting>
-BEGIN { strict->import(); }
-</programlisting>
+   in the function body.
  </para>
 </sect1>

@ -596,6 +591,25 @@ $$ LANGUAGE plperl;
   If the above function was created by a superuser using the language
   <literal>plperlu</>, execution would succeed.
  </para>
+
+  <note>
+    <para>
+          For security reasons, to stop a leak of privileged operations from
+      <application>PL/PerlU</> to <application>PL/Perl</>, these two languages
+          have to run in separate instances of the Perl interpreter. If your
+          Perl installation has been appropriately compiled, this is not a problem.
+          However, not all installations are compiled with the requisite flags.
+          If <productname>PostgreSQL</> detects that this is the case then it will
+          not start a second interpreter, but instead create an error. In
+          consequence, in such an installation, you cannot use both 
+          <application>PL/PerlU</> and <application>PL/Perl</> in the same backend
+          process. The remedy for this is to obtain a Perl installation created
+          with the appropriate flags, namely either <literal>usemultiplicity</> or
+          both <literal>usethreads</> and <literal>useithreads</>. 
+          For more details,see the <literal>perlembed</> manual page.
+    </para>
+  </note>
+  
 </sect1>

 <sect1 id="plperl-triggers">