diff options
| author | Noah Misch <noah@leadboat.com> | 2020-11-09 07:32:09 -0800 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2020-11-09 07:32:09 -0800 |
| commit | 098fb00799ffb026ff12c64bd21635f963cfc609 (patch) | |
| tree | 85459aab4bb940c798d8dd2600500f461135cc76 /src/bin/psql/common.c | |
| parent | 0c3185e963d9f9dd0608214f7d732b84aa0888fe (diff) | |
| download | postgresql-098fb00799ffb026ff12c64bd21635f963cfc609.tar.gz postgresql-098fb00799ffb026ff12c64bd21635f963cfc609.zip | |
Ignore attempts to \gset into specially treated variables.
If an interactive psql session used \gset when querying a compromised
server, the attacker could execute arbitrary code as the operating
system account running psql. Using a prefix not found among specially
treated variables, e.g. every lowercase string, precluded the attack.
Fix by issuing a warning and setting no variable for the column in
question. Users wanting the old behavior can use a prefix and then a
meta-command like "\set HISTSIZE :prefix_HISTSIZE". Back-patch to 9.5
(all supported versions).
Reviewed by Robert Haas. Reported by Nick Cleaton.
Security: CVE-2020-25696
Diffstat (limited to 'src/bin/psql/common.c')
| -rw-r--r-- | src/bin/psql/common.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/bin/psql/common.c b/src/bin/psql/common.c index ff673665d86..dfbc22970f8 100644 --- a/src/bin/psql/common.c +++ b/src/bin/psql/common.c @@ -786,6 +786,13 @@ StoreQueryTuple(const PGresult *result) /* concatenate prefix and column name */ varname = psprintf("%s%s", pset.gset_prefix, colname); + if (VariableHasHook(pset.vars, varname)) + { + pg_log_warning("attempt to \\gset into specially treated variable \"%s\" ignored", + varname); + continue; + } + if (!PQgetisnull(result, 0, i)) value = PQgetvalue(result, 0, i); else |