Fix bug in SET SESSION AUTHORIZATION that allows unprivileged users to crash

the server, if it has been compiled with Asserts enabled (CVE-2006-0553). Thanks to Akio Ishida for reporting this problem.
2025-05-17 06:41:24 +03:00 · 2006-02-12 22:33:29 +00:00 · 2006-02-12 22:33:29 +00:00 · 7ef174c032
commit 7ef174c032
parent 86b2da894a
4 changed files with 20 additions and 9 deletions
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@ -9,7 +9,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.88.2.2 2005/06/05 01:48:55 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.88.2.3 2006/02/12 22:33:28 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -736,7 +736,9 @@ assign_client_encoding(const char *value, bool doit, bool interactive)
 * by the numeric userid, followed by a comma, followed by the user name.
 * This cannot be confused with a plain user name because of the NAMEDATALEN
 * limit on names, so we can tell whether we're being passed an initial
- * username or a saved/restored value.
+ * username or a saved/restored value.  (NOTE: we rely on guc.c to have
+ * properly truncated any incoming value, but not to truncate already-stored
+ * values.  See GUC_IS_NAME processing.)
 */
 extern char *session_authorization_string; /* in guc.c */

--- a/src/backend/utils/mb/encnames.c
+++ b/src/backend/utils/mb/encnames.c
@ -2,7 +2,7 @@
 * Encoding names and routines for work with it. All
 * in this file is shared bedween FE and BE.
 *
- * $Id: encnames.c,v 1.17 2003/07/25 20:17:55 tgl Exp $
+ * $Id: encnames.c,v 1.17.4.1 2006/02/12 22:33:28 tgl Exp $
 */
 #ifdef FRONTEND
 #include "postgres_fe.h"
@ -434,7 +434,7 @@ pg_char_to_encname_struct(const char *name)
 	if (name == NULL || *name == '\0')
 		return NULL;

-	if (strlen(name) > NAMEDATALEN)
+	if (strlen(name) >= NAMEDATALEN)
 	{
 #ifdef FRONTEND
 		fprintf(stderr, "encoding name too long\n");
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@ -10,7 +10,7 @@
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.3 2004/08/11 21:10:52 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.4 2006/02/12 22:33:28 tgl Exp $
 *
 *--------------------------------------------------------------------
 */
@ -44,6 +44,7 @@
 #include "optimizer/prep.h"
 #include "parser/parse_expr.h"
 #include "parser/parse_relation.h"
+#include "parser/scansup.h"
 #include "storage/fd.h"
 #include "storage/freespace.h"
 #include "storage/lock.h"
@ -1284,7 +1285,7 @@ static struct config_string ConfigureNamesString[] =
 		{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the client's character set encoding."),
 			NULL,
-			GUC_REPORT
+			GUC_IS_NAME | GUC_REPORT
 		},
 		&client_encoding_string,
 		"SQL_ASCII", assign_client_encoding, NULL
@ -1475,7 +1476,7 @@ static struct config_string ConfigureNamesString[] =
 		{"server_encoding", PGC_INTERNAL, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the server (database) character set encoding."),
 			NULL,
-			GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+			GUC_IS_NAME | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
 		},
 		&server_encoding_string,
 		"SQL_ASCII", NULL, NULL
@ -1497,7 +1498,7 @@ static struct config_string ConfigureNamesString[] =
 		{"session_authorization", PGC_USERSET, UNGROUPED,
 			gettext_noop("Shows the session user name."),
 			NULL,
-			GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+			GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
 		},
 		&session_authorization_string,
 		NULL, assign_session_authorization, show_session_authorization
@ -2831,6 +2832,13 @@ set_config_option(const char *name, const char *value,
 						return false;
 					}

+					/*
+					 * The only sort of "parsing" check we need to do is
+					 * apply truncation if GUC_IS_NAME.
+					 */
+					if (conf->gen.flags & GUC_IS_NAME)
+						truncate_identifier(newval, strlen(newval), true);
+
 					if (record->context == PGC_USERLIMIT &&
 						*conf->variable)
 					{
--- a/src/include/utils/guc_tables.h
+++ b/src/include/utils/guc_tables.h
@ -7,7 +7,7 @@
 *
 * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group
 *
- *	  $Id: guc_tables.h,v 1.6 2003/08/04 02:40:15 momjian Exp $
+ *	  $Id: guc_tables.h,v 1.6.4.1 2006/02/12 22:33:29 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -97,6 +97,7 @@ struct config_generic
 #define GUC_REPORT				0x0010	/* auto-report changes to client */
 #define GUC_NOT_IN_SAMPLE		0x0020	/* not in postgresql.conf.sample */
 #define GUC_DISALLOW_IN_FILE	0x0040	/* can't set in postgresql.conf */
+#define GUC_IS_NAME				0x0080	/* limit string to NAMEDATALEN-1 */

 /* bit values in status field */
 #define GUC_HAVE_TENTATIVE	0x0001		/* tentative value is defined */