Ignore attempts to \gset into specially treated variables.

If an interactive psql session used \gset when querying a compromised
server, the attacker could execute arbitrary code as the operating
system account running psql.  Using a prefix not found among specially
treated variables, e.g. every lowercase string, precluded the attack.
Fix by issuing a warning and setting no variable for the column in
question.  Users wanting the old behavior can use a prefix and then a
meta-command like "\set HISTSIZE :prefix_HISTSIZE".  Back-patch to 9.5
(all supported versions).

Reviewed by Robert Haas.  Reported by Nick Cleaton.

Security: CVE-2020-25696

1 files changed, 7 insertions, 0 deletions

diff --git a/src/bin/psql/common.c b/src/bin/psql/common.c
index 9b5b8439608..11200cc6a6f 100644
--- a/src/bin/psql/common.c
+++ b/src/bin/psql/common.c
@@ -942,6 +942,13 @@ StoreQueryTuple(const PGresult *result)
 			/* concatenate prefix and column name */
 			varname = psprintf("%s%s", pset.gset_prefix, colname);
 
+			if (VariableHasHook(pset.vars, varname))
+			{
+				psql_error("attempt to \\gset into specially treated variable \"%s\" ignored\n",
+						   varname);
+				continue;
+			}
+
 			if (!PQgetisnull(result, 0, i))
 				value = PQgetvalue(result, 0, i);
 			else