From 7ef174c032117d433e114779e4e33024c6d365cc Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sun, 12 Feb 2006 22:33:29 +0000 Subject: [PATCH] Fix bug in SET SESSION AUTHORIZATION that allows unprivileged users to crash the server, if it has been compiled with Asserts enabled (CVE-2006-0553). Thanks to Akio Ishida for reporting this problem. --- src/backend/commands/variable.c | 6 ++++-- src/backend/utils/mb/encnames.c | 4 ++-- src/backend/utils/misc/guc.c | 16 ++++++++++++---- src/include/utils/guc_tables.h | 3 ++- 4 files changed, 20 insertions(+), 9 deletions(-) diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c index 7261c8e49b4..d88f8059b79 100644 --- a/src/backend/commands/variable.c +++ b/src/backend/commands/variable.c @@ -9,7 +9,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.88.2.2 2005/06/05 01:48:55 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.88.2.3 2006/02/12 22:33:28 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -736,7 +736,9 @@ assign_client_encoding(const char *value, bool doit, bool interactive) * by the numeric userid, followed by a comma, followed by the user name. * This cannot be confused with a plain user name because of the NAMEDATALEN * limit on names, so we can tell whether we're being passed an initial - * username or a saved/restored value. + * username or a saved/restored value. (NOTE: we rely on guc.c to have + * properly truncated any incoming value, but not to truncate already-stored + * values. See GUC_IS_NAME processing.) */ extern char *session_authorization_string; /* in guc.c */ diff --git a/src/backend/utils/mb/encnames.c b/src/backend/utils/mb/encnames.c index 86b3bfa6cbc..a114ff6e26a 100644 --- a/src/backend/utils/mb/encnames.c +++ b/src/backend/utils/mb/encnames.c @@ -2,7 +2,7 @@ * Encoding names and routines for work with it. All * in this file is shared bedween FE and BE. * - * $Id: encnames.c,v 1.17 2003/07/25 20:17:55 tgl Exp $ + * $Id: encnames.c,v 1.17.4.1 2006/02/12 22:33:28 tgl Exp $ */ #ifdef FRONTEND #include "postgres_fe.h" @@ -434,7 +434,7 @@ pg_char_to_encname_struct(const char *name) if (name == NULL || *name == '\0') return NULL; - if (strlen(name) > NAMEDATALEN) + if (strlen(name) >= NAMEDATALEN) { #ifdef FRONTEND fprintf(stderr, "encoding name too long\n"); diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 4391c12ebd0..c5887f79806 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -10,7 +10,7 @@ * Written by Peter Eisentraut . * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.3 2004/08/11 21:10:52 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.4 2006/02/12 22:33:28 tgl Exp $ * *-------------------------------------------------------------------- */ @@ -44,6 +44,7 @@ #include "optimizer/prep.h" #include "parser/parse_expr.h" #include "parser/parse_relation.h" +#include "parser/scansup.h" #include "storage/fd.h" #include "storage/freespace.h" #include "storage/lock.h" @@ -1284,7 +1285,7 @@ static struct config_string ConfigureNamesString[] = {"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE, gettext_noop("Sets the client's character set encoding."), NULL, - GUC_REPORT + GUC_IS_NAME | GUC_REPORT }, &client_encoding_string, "SQL_ASCII", assign_client_encoding, NULL @@ -1475,7 +1476,7 @@ static struct config_string ConfigureNamesString[] = {"server_encoding", PGC_INTERNAL, CLIENT_CONN_LOCALE, gettext_noop("Sets the server (database) character set encoding."), NULL, - GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE + GUC_IS_NAME | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE }, &server_encoding_string, "SQL_ASCII", NULL, NULL @@ -1497,7 +1498,7 @@ static struct config_string ConfigureNamesString[] = {"session_authorization", PGC_USERSET, UNGROUPED, gettext_noop("Shows the session user name."), NULL, - GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE + GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE }, &session_authorization_string, NULL, assign_session_authorization, show_session_authorization @@ -2831,6 +2832,13 @@ set_config_option(const char *name, const char *value, return false; } + /* + * The only sort of "parsing" check we need to do is + * apply truncation if GUC_IS_NAME. + */ + if (conf->gen.flags & GUC_IS_NAME) + truncate_identifier(newval, strlen(newval), true); + if (record->context == PGC_USERLIMIT && *conf->variable) { diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h index 6bd7d820958..553d3fc531b 100644 --- a/src/include/utils/guc_tables.h +++ b/src/include/utils/guc_tables.h @@ -7,7 +7,7 @@ * * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group * - * $Id: guc_tables.h,v 1.6 2003/08/04 02:40:15 momjian Exp $ + * $Id: guc_tables.h,v 1.6.4.1 2006/02/12 22:33:29 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -97,6 +97,7 @@ struct config_generic #define GUC_REPORT 0x0010 /* auto-report changes to client */ #define GUC_NOT_IN_SAMPLE 0x0020 /* not in postgresql.conf.sample */ #define GUC_DISALLOW_IN_FILE 0x0040 /* can't set in postgresql.conf */ +#define GUC_IS_NAME 0x0080 /* limit string to NAMEDATALEN-1 */ /* bit values in status field */ #define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */