diff options
| author | Noah Misch <noah@leadboat.com> | 2018-02-26 07:39:44 -0800 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2018-02-26 07:39:48 -0800 |
| commit | 91f3ffc5249eff99c311fb27e7b29a44d9c62be1 (patch) | |
| tree | 3e1da7c2dcb544d0df7dc1e867549bcf099065cb /src/include | |
| parent | a8fc37a6381c0c2a5064d51aa31c72168c01a49a (diff) | |
| download | postgresql-91f3ffc5249eff99c311fb27e7b29a44d9c62be1.tar.gz postgresql-91f3ffc5249eff99c311fb27e7b29a44d9c62be1.zip | |
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/Makefile | 3 | ||||
| -rw-r--r-- | src/include/fe_utils/connect.h | 28 |
2 files changed, 30 insertions, 1 deletions
diff --git a/src/include/Makefile b/src/include/Makefile index e486fd917d5..d338645d005 100644 --- a/src/include/Makefile +++ b/src/include/Makefile @@ -17,7 +17,8 @@ all: pg_config.h pg_config_ext.h pg_config_os.h # Subdirectories containing headers for server-side dev -SUBDIRS = access bootstrap catalog commands common datatype executor foreign \ +SUBDIRS = access bootstrap catalog commands common datatype \ + executor fe_utils foreign \ lib libpq mb nodes optimizer parser postmaster regex replication \ rewrite storage tcop snowball snowball/libstemmer tsearch \ tsearch/dicts utils port port/atomics port/win32 port/win32_msvc \ diff --git a/src/include/fe_utils/connect.h b/src/include/fe_utils/connect.h new file mode 100644 index 00000000000..fa293d2458d --- /dev/null +++ b/src/include/fe_utils/connect.h @@ -0,0 +1,28 @@ +/*------------------------------------------------------------------------- + * + * Interfaces in support of FE/BE connections. + * + * + * Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + * + * src/include/fe_utils/connect.h + * + *------------------------------------------------------------------------- + */ +#ifndef CONNECT_H +#define CONNECT_H + +/* + * This SQL statement installs an always-secure search path, so malicious + * users can't take control. CREATE of an unqualified name will fail, because + * this selects no creation schema. This does not demote pg_temp, so it is + * suitable where we control the entire FE/BE connection but not suitable in + * SECURITY DEFINER functions. This is portable to PostgreSQL 7.3, which + * introduced schemas. When connected to an older version from code that + * might work with the old server, skip this. + */ +#define ALWAYS_SECURE_SEARCH_PATH_SQL \ + "SELECT pg_catalog.set_config('search_path', '', false)" + +#endif /* CONNECT_H */ |