database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-30 11:03:19 +03:00
Code Activity

Empty search_path in Autovacuum and non-psql/pgbench clients.

Browse Source 
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects.  Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser.  This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".

This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump().  If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear.  Users may fix such errors
by schema-qualifying affected names.  After upgrading, consider watching
server logs for these errors.

The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint.  That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.

Back-patch to 9.3 (all supported versions).

Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.

Security: CVE-2018-1058
This commit is contained in:
Noah Misch
2018-02-26 07:39:44 -08:00
parent a8fc37a638
commit 91f3ffc524
28 changed files with 360 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
contrib/oid2name/oid2name.c
View File

@ -9,6 +9,7 @@
*/
#include "postgres_fe.h"
#include "fe_utils/connect.h"
#include "libpq-fe.h"
#include "pg_getopt.h"
@ -263,6 +264,7 @@ sql_conn(struct options * my_opts)
PGconn *conn;
char *password = NULL;
bool new_pass;
PGresult *res;
/*
* Start the connection. Loop until we have a password if requested by
@ -322,6 +324,17 @@ sql_conn(struct options * my_opts)
exit(1);
}
res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL);
if (PQresultStatus(res) != PGRES_TUPLES_OK)
{
fprintf(stderr, "oid2name: could not clear search_path: %s\n",
PQerrorMessage(conn));
PQclear(res);
PQfinish(conn);
exit(-1);
}
PQclear(res);
/* return the conn if good */
return conn;
}