database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-04-29 13:56:47 +03:00
Code

Fix incautious handling of possibly-miscoded strings in client code.

Browse Source 
An incorrectly-encoded multibyte character near the end of a string
could cause various processing loops to run past the string's
terminating NUL, with results ranging from no detectable issue to
a program crash, depending on what happens to be in the following
memory.

This isn't an issue in the server, because we take care to verify
the encoding of strings before doing any interesting processing
on them.  However, that lack of care leaked into client-side code
which shouldn't assume that anyone has validated the encoding of
its input.

Although this is certainly a bug worth fixing, the PG security team
elected not to regard it as a security issue, primarily because
any untrusted text should be sanitized by PQescapeLiteral or
the like before being incorporated into a SQL or psql command.
(If an app fails to do so, the same technique can be used to
cause SQL injection, with probably much more dire consequences
than a mere client-program crash.)  Those functions were already
made proof against this class of problem, cf CVE-2006-2313.

To fix, invent PQmblenBounded() which is like PQmblen() except it
won't return more than the number of bytes remaining in the string.
In HEAD we can make this a new libpq function, as PQmblen() is.
It seems imprudent to change libpq's API in stable branches though,
so in the back branches define PQmblenBounded as a macro in the files
that need it.  (Note that just changing PQmblen's behavior would not
be a good idea; notably, it would completely break the escaping
functions' defense against this exact problem.  So we just want a
version for those callers that don't have any better way of handling
this issue.)

Per private report from houjingyi.  Back-patch to all supported branches.
This commit is contained in:
Tom Lane 2021-06-07 14:15:25 -04:00
parent 7cdb976324
commit ac600c5416
8 changed files with 37 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/bin/psql/common.c
View File

@ -28,6 +28,8 @@
#include "fe_utils/mbprint.h" #include "fe_utils/mbprint.h"
#define PQmblenBounded(s, e) strnlen(s, PQmblen(s, e))
static bool ExecQueryUsingCursor(const char *query, double *elapsed_msec); static bool ExecQueryUsingCursor(const char *query, double *elapsed_msec);
static bool command_no_begin(const char *query); static bool command_no_begin(const char *query);
static bool is_select_command(const char *query); static bool is_select_command(const char *query);
@ -1700,7 +1702,7 @@ skip_white_space(const char *query)
while (*query) while (*query)
{ {
int mblen = PQmblen(query, pset.encoding); int mblen = PQmblenBounded(query, pset.encoding);
/* /*
* Note: we assume the encoding is a superset of ASCII, so that for * Note: we assume the encoding is a superset of ASCII, so that for
@ -1737,7 +1739,7 @@ skip_white_space(const char *query)
query++; query++;
break; break;
} }
query += PQmblen(query, pset.encoding); query += PQmblenBounded(query, pset.encoding);
} }
} }
else if (cnestlevel > 0) else if (cnestlevel > 0)
@ -1772,7 +1774,7 @@ command_no_begin(const char *query)
*/ */
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
/* /*
* Transaction control commands. These should include every keyword that * Transaction control commands. These should include every keyword that
@ -1803,7 +1805,7 @@ command_no_begin(const char *query)
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
if (wordlen == 11 && pg_strncasecmp(query, "transaction", 11) == 0) if (wordlen == 11 && pg_strncasecmp(query, "transaction", 11) == 0)
return true; return true;
@ -1837,7 +1839,7 @@ command_no_begin(const char *query)
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
if (wordlen == 8 && pg_strncasecmp(query, "database", 8) == 0) if (wordlen == 8 && pg_strncasecmp(query, "database", 8) == 0)
return true; return true;
@ -1853,7 +1855,7 @@ command_no_begin(const char *query)
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
} }
if (wordlen == 5 && pg_strncasecmp(query, "index", 5) == 0) if (wordlen == 5 && pg_strncasecmp(query, "index", 5) == 0)
@ -1864,7 +1866,7 @@ command_no_begin(const char *query)
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
if (wordlen == 12 && pg_strncasecmp(query, "concurrently", 12) == 0) if (wordlen == 12 && pg_strncasecmp(query, "concurrently", 12) == 0)
return true; return true;
@ -1881,7 +1883,7 @@ command_no_begin(const char *query)
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
/* ALTER SYSTEM isn't allowed in xacts */ /* ALTER SYSTEM isn't allowed in xacts */
if (wordlen == 6 && pg_strncasecmp(query, "system", 6) == 0) if (wordlen == 6 && pg_strncasecmp(query, "system", 6) == 0)
@ -1904,7 +1906,7 @@ command_no_begin(const char *query)
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
if (wordlen == 8 && pg_strncasecmp(query, "database", 8) == 0) if (wordlen == 8 && pg_strncasecmp(query, "database", 8) == 0)
return true; return true;
@ -1922,7 +1924,7 @@ command_no_begin(const char *query)
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
if (wordlen == 12 && pg_strncasecmp(query, "concurrently", 12) == 0) if (wordlen == 12 && pg_strncasecmp(query, "concurrently", 12) == 0)
return true; return true;
@ -1942,7 +1944,7 @@ command_no_begin(const char *query)
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
if (wordlen == 3 && pg_strncasecmp(query, "all", 3) == 0) if (wordlen == 3 && pg_strncasecmp(query, "all", 3) == 0)
return true; return true;
@ -1978,7 +1980,7 @@ is_select_command(const char *query)
*/ */
wordlen = 0; wordlen = 0;
while (isalpha((unsigned char) query[wordlen])) while (isalpha((unsigned char) query[wordlen]))
wordlen += PQmblen(&query[wordlen], pset.encoding); wordlen += PQmblenBounded(&query[wordlen], pset.encoding);
if (wordlen == 6 && pg_strncasecmp(query, "select", 6) == 0) if (wordlen == 6 && pg_strncasecmp(query, "select", 6) == 0)
return true; return true;

4
src/bin/psql/psqlscanslash.l
View File

@ -26,6 +26,8 @@
%{ %{
#include "fe_utils/psqlscan_int.h" #include "fe_utils/psqlscan_int.h"
#define PQmblenBounded(s, e) strnlen(s, PQmblen(s, e))
/* /*
* We must have a typedef YYSTYPE for yylex's first argument, but this lexer * We must have a typedef YYSTYPE for yylex's first argument, but this lexer
* doesn't presently make use of that argument, so just declare it as int. * doesn't presently make use of that argument, so just declare it as int.
@ -681,7 +683,7 @@ dequote_downcase_identifier(char *str, bool downcase, int encoding)
{ {
if (downcase && !inquotes) if (downcase && !inquotes)
*cp = pg_tolower((unsigned char) *cp); *cp = pg_tolower((unsigned char) *cp);
cp += PQmblen(cp, encoding); cp += PQmblenBounded(cp, encoding);
} }
} }
} }

8
src/bin/psql/stringutils.c
View File

@ -12,6 +12,8 @@
#include "common.h" #include "common.h"
#include "stringutils.h" #include "stringutils.h"
#define PQmblenBounded(s, e) strnlen(s, PQmblen(s, e))
/* /*
* Replacement for strtok() (a.k.a. poor man's flex) * Replacement for strtok() (a.k.a. poor man's flex)
@ -143,7 +145,7 @@ strtokx(const char *s,
/* okay, we have a quoted token, now scan for the closer */ /* okay, we have a quoted token, now scan for the closer */
char thisquote = *p++; char thisquote = *p++;
for (; *p; p += PQmblen(p, encoding)) for (; *p; p += PQmblenBounded(p, encoding))
{ {
if (*p == escape && p[1] != '\0') if (*p == escape && p[1] != '\0')
p++; /* process escaped anything */ p++; /* process escaped anything */
@ -262,7 +264,7 @@ strip_quotes(char *source, char quote, char escape, int encoding)
else if (c == escape && src[1] != '\0') else if (c == escape && src[1] != '\0')
src++; /* process escaped character */ src++; /* process escaped character */
i = PQmblen(src, encoding); i = PQmblenBounded(src, encoding);
while (i--) while (i--)
*dst++ = *src++; *dst++ = *src++;
} }
@ -322,7 +324,7 @@ quote_if_needed(const char *source, const char *entails_quote,
else if (strchr(entails_quote, c)) else if (strchr(entails_quote, c))
need_quotes = true; need_quotes = true;
i = PQmblen(src, encoding); i = PQmblenBounded(src, encoding);
while (i--) while (i--)
*dst++ = *src++; *dst++ = *src++;
} }

4
src/bin/psql/tab-complete.c
View File

@ -57,6 +57,8 @@ extern char *filename_completion_function();
#define completion_matches rl_completion_matches #define completion_matches rl_completion_matches
#endif #endif
#define PQmblenBounded(s, e) strnlen(s, PQmblen(s, e))
/* word break characters */ /* word break characters */
#define WORD_BREAKS "\t\n@$><=;|&{() " #define WORD_BREAKS "\t\n@$><=;|&{() "
@ -3308,7 +3310,7 @@ _complete_from_query(int is_schema_query, const char *text, int state)
while (*pstr) while (*pstr)
{ {
char_length++; char_length++;
pstr += PQmblen(pstr, pset.encoding); pstr += PQmblenBounded(pstr, pset.encoding);
} }
/* Free any prior result */ /* Free any prior result */

4
src/bin/scripts/common.c
View File

@ -21,6 +21,8 @@
#include "fe_utils/connect.h" #include "fe_utils/connect.h"
#include "fe_utils/string_utils.h" #include "fe_utils/string_utils.h"
#define PQmblenBounded(s, e) strnlen(s, PQmblen(s, e))
static PGcancel *volatile cancelConn = NULL; static PGcancel *volatile cancelConn = NULL;
bool CancelRequested = false; bool CancelRequested = false;
@ -304,7 +306,7 @@ split_table_columns_spec(const char *spec, int encoding,
cp++; cp++;
} }
else else
cp += PQmblen(cp, encoding); cp += PQmblenBounded(cp, encoding);
} }
*table = pg_strdup(spec); *table = pg_strdup(spec);
(*table)[cp - spec] = '\0'; /* no strndup */ (*table)[cp - spec] = '\0'; /* no strndup */

3
src/fe_utils/print.c
View File

@ -3527,6 +3527,9 @@ strlen_max_width(unsigned char *str, int *target_width, int encoding)
curr_width += char_width; curr_width += char_width;
str += PQmblen((char *) str, encoding); str += PQmblen((char *) str, encoding);
if (str > end) /* Don't overrun invalid string */
str = end;
} }
*target_width = curr_width; *target_width = curr_width;

3
src/interfaces/libpq/fe-print.c
View File

@ -36,6 +36,7 @@
#include "libpq-fe.h" #include "libpq-fe.h"
#include "libpq-int.h" #include "libpq-int.h"
#define PQmblenBounded(s, e) strnlen(s, PQmblen(s, e))
static void do_field(const PQprintOpt *po, const PGresult *res, static void do_field(const PQprintOpt *po, const PGresult *res,
const int i, const int j, const int fs_len, const int i, const int j, const int fs_len,
@ -358,7 +359,7 @@ do_field(const PQprintOpt *po, const PGresult *res,
/* Detect whether field contains non-numeric data */ /* Detect whether field contains non-numeric data */
char ch = '0'; char ch = '0';
for (p = pval; *p; p += PQmblen(p, res->client_encoding)) for (p = pval; *p; p += PQmblenBounded(p, res->client_encoding))
{ {
ch = *p; ch = *p;
if (!((ch >= '0' && ch <= '9') || if (!((ch >= '0' && ch <= '9') ||

6
src/interfaces/libpq/fe-protocol3.c
View File

@ -42,6 +42,8 @@
((id) == 'T' || (id) == 'D' || (id) == 'd' || (id) == 'V' || \ ((id) == 'T' || (id) == 'D' || (id) == 'd' || (id) == 'V' || \
(id) == 'E' || (id) == 'N' || (id) == 'A') (id) == 'E' || (id) == 'N' || (id) == 'A')
#define PQmblenBounded(s, e) strnlen(s, PQmblen(s, e))
static void handleSyncLoss(PGconn *conn, char id, int msgLength); static void handleSyncLoss(PGconn *conn, char id, int msgLength);
static int getRowDescriptions(PGconn *conn, int msgLength); static int getRowDescriptions(PGconn *conn, int msgLength);
@ -1228,7 +1230,7 @@ reportErrorPosition(PQExpBuffer msg, const char *query, int loc, int encoding)
if (w <= 0) if (w <= 0)
w = 1; w = 1;
scroffset += w; scroffset += w;
qoffset += pg_encoding_mblen(encoding, &wquery[qoffset]); qoffset += PQmblenBounded(&wquery[qoffset], encoding);
} }
else else
{ {
@ -1296,7 +1298,7 @@ reportErrorPosition(PQExpBuffer msg, const char *query, int loc, int encoding)
* width. * width.
*/ */
scroffset = 0; scroffset = 0;
for (; i < msg->len; i += pg_encoding_mblen(encoding, &msg->data[i])) for (; i < msg->len; i += PQmblenBounded(&msg->data[i], encoding))
{ {
int w = pg_encoding_dsplen(encoding, &msg->data[i]); int w = pg_encoding_dsplen(encoding, &msg->data[i]);