diff options
| author | Noah Misch <noah@leadboat.com> | 2018-02-26 07:39:44 -0800 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2018-02-26 07:39:48 -0800 |
| commit | 91f3ffc5249eff99c311fb27e7b29a44d9c62be1 (patch) | |
| tree | 3e1da7c2dcb544d0df7dc1e867549bcf099065cb /contrib | |
| parent | a8fc37a6381c0c2a5064d51aa31c72168c01a49a (diff) | |
| download | postgresql-91f3ffc5249eff99c311fb27e7b29a44d9c62be1.tar.gz postgresql-91f3ffc5249eff99c311fb27e7b29a44d9c62be1.zip | |
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/oid2name/oid2name.c | 13 | ||||
| -rw-r--r-- | contrib/vacuumlo/vacuumlo.c | 8 |
2 files changed, 16 insertions, 5 deletions
diff --git a/contrib/oid2name/oid2name.c b/contrib/oid2name/oid2name.c index e5eeec21c15..91da40352b4 100644 --- a/contrib/oid2name/oid2name.c +++ b/contrib/oid2name/oid2name.c @@ -9,6 +9,7 @@ */ #include "postgres_fe.h" +#include "fe_utils/connect.h" #include "libpq-fe.h" #include "pg_getopt.h" @@ -263,6 +264,7 @@ sql_conn(struct options * my_opts) PGconn *conn; char *password = NULL; bool new_pass; + PGresult *res; /* * Start the connection. Loop until we have a password if requested by @@ -322,6 +324,17 @@ sql_conn(struct options * my_opts) exit(1); } + res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL); + if (PQresultStatus(res) != PGRES_TUPLES_OK) + { + fprintf(stderr, "oid2name: could not clear search_path: %s\n", + PQerrorMessage(conn)); + PQclear(res); + PQfinish(conn); + exit(-1); + } + PQclear(res); + /* return the conn if good */ return conn; } diff --git a/contrib/vacuumlo/vacuumlo.c b/contrib/vacuumlo/vacuumlo.c index ca0d3048b82..fa51e33f5d4 100644 --- a/contrib/vacuumlo/vacuumlo.c +++ b/contrib/vacuumlo/vacuumlo.c @@ -21,6 +21,7 @@ #include <termios.h> #endif +#include "fe_utils/connect.h" #include "libpq-fe.h" #include "pg_getopt.h" @@ -135,11 +136,8 @@ vacuumlo(const char *database, const struct _param * param) fprintf(stdout, "Test run: no large objects will be removed!\n"); } - /* - * Don't get fooled by any non-system catalogs - */ - res = PQexec(conn, "SET search_path = pg_catalog"); - if (PQresultStatus(res) != PGRES_COMMAND_OK) + res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL); + if (PQresultStatus(res) != PGRES_TUPLES_OK) { fprintf(stderr, "Failed to set search_path:\n"); fprintf(stderr, "%s", PQerrorMessage(conn)); |