mirror of
https://github.com/postgres/postgres.git
synced 2025-04-25 21:42:33 +03:00
582edc369c
This makes the client programs behave as documented regardless of the connect-time search_path and regardless of user-created objects. Today, a malicious user with CREATE permission on a search_path schema can take control of certain of these clients' queries and invoke arbitrary SQL functions under the client identity, often a superuser. This is exploitable in the default configuration, where all users have CREATE privilege on schema "public". This changes behavior of user-defined code stored in the database, like pg_index.indexprs and pg_extension_config_dump(). If they reach code bearing unqualified names, "does not exist" or "no schema has been selected to create in" errors might appear. Users may fix such errors by schema-qualifying affected names. After upgrading, consider watching server logs for these errors. The --table arguments of src/bin/scripts clients have been lax; for example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still performs a checkpoint. Back-patch to 9.3 (all supported versions). Reviewed by Tom Lane, though this fix strategy was not his first choice. Reported by Arseniy Sharoglazov. Security: CVE-2018-1058
29 lines
1.0 KiB
C
29 lines
1.0 KiB
C
/*-------------------------------------------------------------------------
|
|
*
|
|
* Interfaces in support of FE/BE connections.
|
|
*
|
|
*
|
|
* Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
*
|
|
* src/include/fe_utils/connect.h
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
#ifndef CONNECT_H
|
|
#define CONNECT_H
|
|
|
|
/*
|
|
* This SQL statement installs an always-secure search path, so malicious
|
|
* users can't take control. CREATE of an unqualified name will fail, because
|
|
* this selects no creation schema. This does not demote pg_temp, so it is
|
|
* suitable where we control the entire FE/BE connection but not suitable in
|
|
* SECURITY DEFINER functions. This is portable to PostgreSQL 7.3, which
|
|
* introduced schemas. When connected to an older version from code that
|
|
* might work with the old server, skip this.
|
|
*/
|
|
#define ALWAYS_SECURE_SEARCH_PATH_SQL \
|
|
"SELECT pg_catalog.set_config('search_path', '', false)"
|
|
|
|
#endif /* CONNECT_H */
|