diff options
| author | Noah Misch <noah@leadboat.com> | 2020-11-09 07:32:09 -0800 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2020-11-09 07:32:13 -0800 |
| commit | a498db87be103f93856dd515a574b2d67d3c1237 (patch) | |
| tree | ccd9d8ac42f9af53011de7faf8784828256b4e9e /src/bin/psql/variables.h | |
| parent | f97ecea1ed7b09c6f1398540a1d72a57eee70c9f (diff) | |
| download | postgresql-a498db87be103f93856dd515a574b2d67d3c1237.tar.gz postgresql-a498db87be103f93856dd515a574b2d67d3c1237.zip | |
Ignore attempts to \gset into specially treated variables.
If an interactive psql session used \gset when querying a compromised
server, the attacker could execute arbitrary code as the operating
system account running psql. Using a prefix not found among specially
treated variables, e.g. every lowercase string, precluded the attack.
Fix by issuing a warning and setting no variable for the column in
question. Users wanting the old behavior can use a prefix and then a
meta-command like "\set HISTSIZE :prefix_HISTSIZE". Back-patch to 9.5
(all supported versions).
Reviewed by Robert Haas. Reported by Nick Cleaton.
Security: CVE-2020-25696
Diffstat (limited to 'src/bin/psql/variables.h')
| -rw-r--r-- | src/bin/psql/variables.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/bin/psql/variables.h b/src/bin/psql/variables.h index 02d85b1bc2e..8dc5c20ee8f 100644 --- a/src/bin/psql/variables.h +++ b/src/bin/psql/variables.h @@ -90,6 +90,7 @@ bool DeleteVariable(VariableSpace space, const char *name); void SetVariableHooks(VariableSpace space, const char *name, VariableSubstituteHook shook, VariableAssignHook ahook); +bool VariableHasHook(VariableSpace space, const char *name); void PsqlVarEnumError(const char *name, const char *value, const char *suggestions); |