diff options
| author | Noah Misch <noah@leadboat.com> | 2020-08-10 09:22:54 -0700 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2020-08-10 09:22:58 -0700 |
| commit | 412c5c4010c0bec294f60a10cd56929680d3f95b (patch) | |
| tree | d6003b92269a55fd48363726ff56bdeb5b72b1a3 /src/backend/replication | |
| parent | 41dae35532d40041297ee728eac1f4584af05570 (diff) | |
| download | postgresql-412c5c4010c0bec294f60a10cd56929680d3f95b.tar.gz postgresql-412c5c4010c0bec294f60a10cd56929680d3f95b.zip | |
Empty search_path in logical replication apply worker and walsender.
This is like CVE-2018-1058 commit
582edc369cdbd348d68441fc50fa26a84afd0c1a. Today, a malicious user of a
publisher or subscriber database can invoke arbitrary SQL functions
under an identity running replication, often a superuser. This fix may
cause "does not exist" or "no schema has been selected to create in"
errors in a replication process. After upgrading, consider watching
server logs for these errors. Objects accruing schema qualification in
the wake of the earlier commit are unlikely to need further correction.
Back-patch to v10, which introduced logical replication.
Security: CVE-2020-14349
Diffstat (limited to 'src/backend/replication')
| -rw-r--r-- | src/backend/replication/libpqwalreceiver/libpqwalreceiver.c | 17 | ||||
| -rw-r--r-- | src/backend/replication/logical/worker.c | 6 |
2 files changed, 23 insertions, 0 deletions
diff --git a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c index e4fd1f9bb6f..80725fe9130 100644 --- a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c +++ b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c @@ -21,6 +21,7 @@ #include "access/xlog.h" #include "catalog/pg_type.h" +#include "common/connect.h" #include "funcapi.h" #include "libpq-fe.h" #include "mb/pg_wchar.h" @@ -213,6 +214,22 @@ libpqrcv_connect(const char *conninfo, bool logical, const char *appname, return NULL; } + if (logical) + { + PGresult *res; + + res = libpqrcv_PQexec(conn->streamConn, + ALWAYS_SECURE_SEARCH_PATH_SQL); + if (PQresultStatus(res) != PGRES_TUPLES_OK) + { + PQclear(res); + ereport(ERROR, + (errmsg("could not clear search path: %s", + pchomp(PQerrorMessage(conn->streamConn))))); + } + PQclear(res); + } + conn->logical = logical; return conn; diff --git a/src/backend/replication/logical/worker.c b/src/backend/replication/logical/worker.c index 75f41ef27c2..73b3837db66 100644 --- a/src/backend/replication/logical/worker.c +++ b/src/backend/replication/logical/worker.c @@ -1988,6 +1988,12 @@ ApplyWorkerMain(Datum main_arg) MyLogicalRepWorker->userid, 0); + /* + * Set always-secure search path, so malicious users can't redirect user + * code (e.g. pg_index.indexprs). + */ + SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE); + /* Load the subscription into persistent memory context. */ ApplyContext = AllocSetContextCreate(TopMemoryContext, "ApplyContext", |