mirror of
https://github.com/postgres/postgres.git
synced 2025-06-01 14:21:49 +03:00
b8a2908f0a
Historically, pg_dump has "set search_path = foo, pg_catalog" when dumping an object in schema "foo", and has also caused that setting to be used while restoring the object. This is problematic because functions and operators in schema "foo" could capture references meant to refer to pg_catalog entries, both in the queries issued by pg_dump and those issued during the subsequent restore run. That could result in dump/restore misbehavior, or in privilege escalation if a nefarious user installs trojan-horse functions or operators. This patch changes pg_dump so that it does not change the search_path dynamically. The emitted restore script sets the search_path to what was used at dump time, and then leaves it alone thereafter. Created objects are placed in the correct schema, regardless of the active search_path, by dint of schema-qualifying their names in the CREATE commands, as well as in subsequent ALTER and ALTER-like commands. Since this change requires a change in the behavior of pg_restore when processing an archive file made according to this new convention, bump the archive file version number; old versions of pg_restore will therefore refuse to process files made with new versions of pg_dump. Security: CVE-2018-1058
60 lines
2.1 KiB
C
60 lines
2.1 KiB
C
/*-------------------------------------------------------------------------
|
|
*
|
|
* Utility routines for SQL dumping
|
|
*
|
|
* Basically this is stuff that is useful in both pg_dump and pg_dumpall.
|
|
*
|
|
*
|
|
* Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
*
|
|
* src/bin/pg_dump/dumputils.h
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
#ifndef DUMPUTILS_H
|
|
#define DUMPUTILS_H
|
|
|
|
#include "libpq-fe.h"
|
|
#include "pqexpbuffer.h"
|
|
|
|
/*
|
|
* Preferred strftime(3) format specifier for printing timestamps in pg_dump
|
|
* and friends.
|
|
*
|
|
* We don't print the timezone on Windows, because the names are long and
|
|
* localized, which means they may contain characters in various random
|
|
* encodings; this has been seen to cause encoding errors when reading the
|
|
* dump script. Think not to get around that by using %z, because
|
|
* (1) %z is not portable to pre-C99 systems, and
|
|
* (2) %z doesn't actually act differently from %Z on Windows anyway.
|
|
*/
|
|
#ifndef WIN32
|
|
#define PGDUMP_STRFTIME_FMT "%Y-%m-%d %H:%M:%S %Z"
|
|
#else
|
|
#define PGDUMP_STRFTIME_FMT "%Y-%m-%d %H:%M:%S"
|
|
#endif
|
|
|
|
|
|
extern bool buildACLCommands(const char *name, const char *subname, const char *nspname,
|
|
const char *type, const char *acls, const char *racls,
|
|
const char *owner, const char *prefix, int remoteVersion,
|
|
PQExpBuffer sql);
|
|
extern bool buildDefaultACLCommands(const char *type, const char *nspname,
|
|
const char *acls, const char *racls,
|
|
const char *initacls, const char *initracls,
|
|
const char *owner,
|
|
int remoteVersion,
|
|
PQExpBuffer sql);
|
|
extern void buildShSecLabelQuery(PGconn *conn, const char *catalog_name,
|
|
Oid objectId, PQExpBuffer sql);
|
|
extern void emitShSecLabels(PGconn *conn, PGresult *res,
|
|
PQExpBuffer buffer, const char *objtype, const char *objname);
|
|
|
|
extern void buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery,
|
|
PQExpBuffer init_acl_subquery, PQExpBuffer init_racl_subquery,
|
|
const char *acl_column, const char *acl_owner,
|
|
const char *obj_kind, bool binary_upgrade);
|
|
|
|
#endif /* DUMPUTILS_H */
|