diff options
| author | Noah Misch <noah@leadboat.com> | 2023-08-07 06:05:56 -0700 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2023-08-07 06:06:00 -0700 |
| commit | eb044d8f0aee1ba4950b0867f6ca9328374318db (patch) | |
| tree | b5ea0cc1980197d5997d0a3edfff966554c78536 /src/backend/commands | |
| parent | 001561235787970ce91b60469498aac898dda866 (diff) | |
| download | postgresql-eb044d8f0aee1ba4950b0867f6ca9328374318db.tar.gz postgresql-eb044d8f0aee1ba4950b0867f6ca9328374318db.zip | |
Reject substituting extension schemas or owners matching ["$'\].
Substituting such values in extension scripts facilitated SQL injection
when @extowner@, @extschema@, or @extschema:...@ appeared inside a
quoting construct (dollar quoting, '', or ""). No bundled extension was
vulnerable. Vulnerable uses do appear in a documentation example and in
non-bundled extensions. Hence, the attack prerequisite was an
administrator having installed files of a vulnerable, trusted,
non-bundled extension. Subject to that prerequisite, this enabled an
attacker having database-level CREATE privilege to execute arbitrary
code as the bootstrap superuser. By blocking this attack in the core
server, there's no need to modify individual extensions. Back-patch to
v11 (all supported versions).
Reported by Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph
Berg.
Security: CVE-2023-39417
Diffstat (limited to 'src/backend/commands')
| -rw-r--r-- | src/backend/commands/extension.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c index 7e81d848190..0f9edf68c3a 100644 --- a/src/backend/commands/extension.c +++ b/src/backend/commands/extension.c @@ -888,6 +888,16 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control, char *c_sql = read_extension_script_file(control, filename); Datum t_sql; + /* + * We filter each substitution through quote_identifier(). When the + * arg contains one of the following characters, no one collection of + * quoting can work inside $$dollar-quoted string literals$$, + * 'single-quoted string literals', and outside of any literal. To + * avoid a security snare for extension authors, error on substitution + * for arguments containing these. + */ + const char *quoting_relevant_chars = "\"$'\\"; + /* We use various functions that want to operate on text datums */ t_sql = CStringGetTextDatum(c_sql); @@ -912,6 +922,7 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control, */ if (!control->relocatable) { + Datum old = t_sql; const char *qSchemaName = quote_identifier(schemaName); t_sql = DirectFunctionCall3Coll(replace_text, @@ -919,6 +930,11 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control, t_sql, CStringGetTextDatum("@extschema@"), CStringGetTextDatum(qSchemaName)); + if (t_sql != old && strpbrk(schemaName, quoting_relevant_chars)) + ereport(ERROR, + (errcode(ERRCODE_INVALID_TEXT_REPRESENTATION), + errmsg("invalid character in extension \"%s\" schema: must not contain any of \"%s\"", + control->name, quoting_relevant_chars))); } /* |