Support explicit placement of the temporary-table schema within search_path.

This is needed to allow a security-definer function to set a truly secure
value of search_path.  Without it, a malicious user can use temporary objects
to execute code with the privileges of the security-definer function.  Even
pushing the temp schema to the back of the search path is not quite good
enough, because a function or operator at the back of the path might still
capture control from one nearer the front due to having a more exact datatype
match.  Hence, disable searching the temp schema altogether for functions and
operators.

Security: CVE-2007-2138

3 files changed, 209 insertions, 37 deletions

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 9ffcd30abbe..d40b609e39c 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.98.2.4 2007/02/08 17:04:48 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.98.2.5 2007/04/20 02:37:48 tgl Exp $ -->
 
 <chapter Id="runtime-config">
   <title>Server Configuration</title>
@@ -3326,9 +3326,17 @@ SELECT * FROM parent WHERE key = 2400;
         mentioned in the path then it will be searched in the specified
         order.  If <literal>pg_catalog</> is not in the path then it will
         be searched <emphasis>before</> searching any of the path items.
-        It should also be noted that the temporary-table schema,
-        <literal>pg_temp_<replaceable>nnn</></>, is implicitly searched before any of
-        these.
+       </para>
+
+       <para>
+        Likewise, the current session's temporary-table schema,
+        <literal>pg_temp_<replaceable>nnn</></>, is always searched if it
+        exists.  It can be explicitly listed in the path by using the
+        alias <literal>pg_temp</>.  If it is not listed in the path then
+        it is searched first (before even <literal>pg_catalog</>).  However,
+        the temporary schema is only searched for relation (table, view,
+        sequence, etc) and data type names.  It will never be searched for
+        function or operator names.
        </para>
 
        <para>
diff --git a/doc/src/sgml/ref/create_function.sgml b/doc/src/sgml/ref/create_function.sgml
index 3381c1db996..f05151a7237 100644
--- a/doc/src/sgml/ref/create_function.sgml
+++ b/doc/src/sgml/ref/create_function.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/create_function.sgml,v 1.70 2006/11/10 20:52:18 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/create_function.sgml,v 1.70.2.1 2007/04/20 02:37:48 tgl Exp $
 -->
 
 <refentry id="SQL-CREATEFUNCTION">
@@ -476,6 +476,54 @@ SELECT * FROM dup(42);
   </para>
  </refsect1>
 
+ <refsect1 id="sql-createfunction-security">
+  <title>Writing <literal>SECURITY DEFINER</literal> Functions Safely</title>
+
+   <para>
+    Because a <literal>SECURITY DEFINER</literal> function is executed
+    with the privileges of the user that created it, care is needed to
+    ensure that the function cannot be misused.  For security,
+    <xref linkend="guc-search-path"> should be set to exclude any schemas
+    writable by untrusted users.  This prevents
+    malicious users from creating objects that mask objects used by the
+    function.  Particularly important is in this regard is the
+    temporary-table schema, which is searched first by default, and
+    is normally writable by anyone.  A secure arrangement can be had
+    by forcing the temporary schema to be searched last.  To do this,
+    write <literal>pg_temp</> as the last entry in <varname>search_path</>.
+    This function illustrates safe usage:
+   </para>
+
+<programlisting>
+CREATE FUNCTION check_password(uname TEXT, pass TEXT)
+RETURNS BOOLEAN AS $$
+DECLARE passed BOOLEAN;
+        old_path TEXT;
+BEGIN
+        -- Save old search_path; notice we must qualify current_setting
+        -- to ensure we invoke the right function
+        old_path := pg_catalog.current_setting('search_path');
+
+        -- Set a secure search_path: trusted schemas, then 'pg_temp'.
+        -- We set is_local = true so that the old value will be restored
+        -- in event of an error before we reach the function end.
+        PERFORM pg_catalog.set_config('search_path', 'admin, pg_temp', true);
+
+        -- Do whatever secure work we came for.
+        SELECT  (pwd = $2) INTO passed
+        FROM    pwds
+        WHERE   username = $1;
+
+        -- Restore caller's search_path
+        PERFORM pg_catalog.set_config('search_path', old_path, true);
+
+        RETURN passed;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+</programlisting>
+
+ </refsect1>
+
  
  <refsect1 id="sql-createfunction-compat">
   <title>Compatibility</title>
diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml
index 75807a2bdbd..4ba99335322 100644
--- a/doc/src/sgml/release.sgml
+++ b/doc/src/sgml/release.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/release.sgml,v 1.488.2.8 2007/04/19 13:03:07 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release.sgml,v 1.488.2.9 2007/04/20 02:37:48 tgl Exp $ -->
 <!--
 
 Typical markup:
@@ -44,7 +44,8 @@ do it for earlier branch release files.
    </note>
 
    <para>
-    This release contains fixes from 8.2.3.
+    This release contains a variety of fixes from 8.2.3,
+    including a security fix.
    </para>
 
    <sect2>
@@ -63,8 +64,24 @@ do it for earlier branch release files.
 
      <listitem>
      <para>
-      Fix <varname>shared_preload_libraries</> for Win32 by forcing reload in each backend
-      (Korry Douglas)
+      Support explicit placement of the temporary-table schema within
+      <varname>search_path</>, and disable searching it for functions
+      and operators (Tom)
+     </para>
+     <para>
+      This is needed to allow a security-definer function to set a
+      truly secure value of <varname>search_path</>.  Without it,
+      an unprivileged SQL user can use temporary objects to execute code
+      with the privileges of the security-definer function (CVE-2007-2138).
+      See <xref linkend="sql-createfunction"
+      endterm="sql-createfunction-title"> for more information.
+     </para>
+     </listitem>
+
+     <listitem>
+     <para>
+      Fix <varname>shared_preload_libraries</> for Windows
+      by forcing reload in each backend (Korry Douglas)
      </para>
      </listitem>
 
@@ -77,20 +94,21 @@ do it for earlier branch release files.
 
      <listitem>
      <para>
-      <filename>/contrib/tsearch2</> fixes (Teodor)
+      <filename>/contrib/tsearch2</> crash fixes (Teodor)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Require <command>COMMIT TRANSACTION</> to be executed in the same database as
-      it was prepared (Heikki)
+      Require <command>COMMIT PREPARED</> to be executed in the same
+      database as the transaction was prepared in (Heikki)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Allow Win32 <command>pg_dump</> to do binary backups larger than two gigabytes (Magnus)
+      Allow <command>pg_dump</> to do binary backups larger than two gigabytes
+      on Windows (Magnus)
      </para>
      </listitem>
 
@@ -108,32 +126,49 @@ do it for earlier branch release files.
 
      <listitem>
      <para>
-      Improve detection of <acronym>POSIX</>-style time zone names (Tom)
+      Fix potential-data-corruption bug in how <command>VACUUM FULL</> handles
+      <command>UPDATE</> chains (Tom, Pavan Deolasee)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Fix bug in how <command>VACUUM FULL</> handles <command>UPDATE</> chains (Tom, Pavan Deolasee)
+      Fix bug in domains that use array types (Tom)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Fix bug in domains that use array types (Tom)
+      Fix <command>pg_dump</> so it can dump a serial column's sequence
+      using <option>-t</> when not also dumping the owning table
+      (Tom)
+     </para>
+     </listitem>
+
+     <listitem>
+     <para>
+      Planner fixes, including improving outer join and bitmap scan
+      selection logic (Tom)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Fix <command>pg_dump</> so it can dump a sequence using <option>-t</> when not also dumping the owning table
+      Fix possible wrong answers or crash when a PL/pgSQL function tries
+      to <literal>RETURN</> from within an <literal>EXCEPTION</> block
       (Tom)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Improve outer join and bitmap join selection logic (Tom)
+      Fix PANIC during enlargement of a hash index (Tom)
+     </para>
+     </listitem>
+
+     <listitem>
+     <para>
+      Fix POSIX-style timezone specs to follow new USA DST rules (Tom)
      </para>
      </listitem>
 
@@ -3040,7 +3075,8 @@ do it for earlier branch release files.
    </note>
 
    <para>
-    This release contains fixes from 8.1.8.
+    This release contains a variety of fixes from 8.1.8,
+    including a security fix.
    </para>
 
    <sect2>
@@ -3061,39 +3097,57 @@ do it for earlier branch release files.
 
      <listitem>
      <para>
-      Fix <function>to_char()</> so it properly upper/lower cases localized day or month
-      names (Pavel Stehule)
+      Support explicit placement of the temporary-table schema within
+      <varname>search_path</>, and disable searching it for functions
+      and operators (Tom)
+     </para>
+     <para>
+      This is needed to allow a security-definer function to set a
+      truly secure value of <varname>search_path</>.  Without it,
+      an unprivileged SQL user can use temporary objects to execute code
+      with the privileges of the security-definer function (CVE-2007-2138).
+      See <xref linkend="sql-createfunction"
+      endterm="sql-createfunction-title"> for more information.
+     </para>
+     </listitem>
+
+     <listitem>
+     <para>
+      <filename>/contrib/tsearch2</> crash fixes (Teodor)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      <filename>/contrib/tsearch2</> fixes (Teodor)
+      Require <command>COMMIT PREPARED</> to be executed in the same
+      database as the transaction was prepared in (Heikki)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Require <command>COMMIT TRANSACTION</> to be executed in the same database as
-      it was prepared (Heikki)
+      Fix potential-data-corruption bug in how <command>VACUUM FULL</> handles
+      <command>UPDATE</> chains (Tom, Pavan Deolasee)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Improve detection of <acronym>POSIX</>-style time zone names (Tom)
+      Planner fixes, including improving outer join and bitmap scan
+      selection logic (Tom)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Fix bug in how <command>VACUUM FULL</> handles <command>UPDATE</> chains (Tom, Pavan Deolasee)
+      Fix PANIC during enlargement of a hash index (bug introduced in 8.1.6)
+      (Tom)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Improve outer join and bitmap join selection logic (Tom)
+      Fix POSIX-style timezone specs to follow new USA DST rules (Tom)
      </para>
      </listitem>
 
@@ -6061,7 +6115,8 @@ psql -t -f fixseq.sql db1 | psql -e db1
    </note>
 
    <para>
-    This release contains fixes from 8.0.12.
+    This release contains a variety of fixes from 8.0.12,
+    including a security fix.
    </para>
 
    <sect2>
@@ -6082,25 +6137,43 @@ psql -t -f fixseq.sql db1 | psql -e db1
 
      <listitem>
      <para>
-      <filename>/contrib/tsearch2</> fixes (Teodor)
+      Support explicit placement of the temporary-table schema within
+      <varname>search_path</>, and disable searching it for functions
+      and operators (Tom)
+     </para>
+     <para>
+      This is needed to allow a security-definer function to set a
+      truly secure value of <varname>search_path</>.  Without it,
+      an unprivileged SQL user can use temporary objects to execute code
+      with the privileges of the security-definer function (CVE-2007-2138).
+      See <xref linkend="sql-createfunction"
+      endterm="sql-createfunction-title"> for more information.
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Improve detection of <acronym>POSIX</>-style time zone names (Tom)
+      <filename>/contrib/tsearch2</> crash fixes (Teodor)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Fix bug in how <command>VACUUM FULL</> handles <command>UPDATE</> chains (Tom, Pavan Deolasee)
+      Fix potential-data-corruption bug in how <command>VACUUM FULL</> handles
+      <command>UPDATE</> chains (Tom, Pavan Deolasee)
      </para>
      </listitem>
 
      <listitem>
      <para>
-      <filename>/contrib/tsearch2</> fixes (Teodor)
+      Fix PANIC during enlargement of a hash index (bug introduced in 8.0.10)
+      (Tom)
+     </para>
+     </listitem>
+
+     <listitem>
+     <para>
+      Fix POSIX-style timezone specs to follow new USA DST rules (Tom)
      </para>
      </listitem>
 
@@ -9552,7 +9625,8 @@ typedefs (Michael)</para></listitem>
    </note>
 
    <para>
-    This release contains a variety of fixes from 7.4.16.
+    This release contains fixes from 7.4.16,
+    including a security fix.
    </para>
 
    <sect2>
@@ -9573,13 +9647,37 @@ typedefs (Michael)</para></listitem>
 
      <listitem>
      <para>
-      <filename>/contrib/tsearch2</> fixes (Teodor)
+      Support explicit placement of the temporary-table schema within
+      <varname>search_path</>, and disable searching it for functions
+      and operators (Tom)
+     </para>
+     <para>
+      This is needed to allow a security-definer function to set a
+      truly secure value of <varname>search_path</>.  Without it,
+      an unprivileged SQL user can use temporary objects to execute code
+      with the privileges of the security-definer function (CVE-2007-2138).
+      See <xref linkend="sql-createfunction"
+      endterm="sql-createfunction-title"> for more information.
      </para>
      </listitem>
 
      <listitem>
      <para>
-      Fix bug in how <command>VACUUM FULL</> handles <command>UPDATE</> chains (Tom, Pavan Deolasee)
+      <filename>/contrib/tsearch2</> crash fixes (Teodor)
+     </para>
+     </listitem>
+
+     <listitem>
+     <para>
+      Fix potential-data-corruption bug in how <command>VACUUM FULL</> handles
+      <command>UPDATE</> chains (Tom, Pavan Deolasee)
+     </para>
+     </listitem>
+
+     <listitem>
+     <para>
+      Fix PANIC during enlargement of a hash index (bug introduced in 7.4.15)
+      (Tom)
      </para>
      </listitem>
 
@@ -12714,7 +12812,8 @@ DROP SCHEMA information_schema CASCADE;
    </note>
 
    <para>
-    This release contains a variety of fixes from 7.3.18.
+    This release contains fixes from 7.3.18,
+    including a security fix.
    </para>
 
    <sect2>
@@ -12735,7 +12834,24 @@ DROP SCHEMA information_schema CASCADE;
 
      <listitem>
      <para>
-      Fix bug in how <command>VACUUM FULL</> handles <command>UPDATE</> chains (Tom, Pavan Deolasee)
+      Support explicit placement of the temporary-table schema within
+      <varname>search_path</>, and disable searching it for functions
+      and operators (Tom)
+     </para>
+     <para>
+      This is needed to allow a security-definer function to set a
+      truly secure value of <varname>search_path</>.  Without it,
+      an unprivileged SQL user can use temporary objects to execute code
+      with the privileges of the security-definer function (CVE-2007-2138).
+      See <xref linkend="sql-createfunction"
+      endterm="sql-createfunction-title"> for more information.
+     </para>
+     </listitem>
+
+     <listitem>
+     <para>
+      Fix potential-data-corruption bug in how <command>VACUUM FULL</> handles
+      <command>UPDATE</> chains (Tom, Pavan Deolasee)
      </para>
      </listitem>