From 226a980bb0dfaaa4cee3650889218483aa9ec632 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sun, 12 Feb 2006 22:32:43 +0000 Subject: Fix bug that allowed any logged-in user to SET ROLE to any other database user id (CVE-2006-0553). Also fix related bug in SET SESSION AUTHORIZATION that allows unprivileged users to crash the server, if it has been compiled with Asserts enabled. The escalation-of-privilege risk exists only in 8.1.0-8.1.2. However, the Assert-crash risk exists in all releases back to 7.3. Thanks to Akio Ishida for reporting this problem. --- src/backend/commands/variable.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/backend/commands/variable.c') diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c index 38a10bd605b..6d36e5ce1ac 100644 --- a/src/backend/commands/variable.c +++ b/src/backend/commands/variable.c @@ -9,7 +9,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.115 2005/11/22 18:17:10 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.116 2006/02/12 22:32:42 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -586,7 +586,9 @@ assign_client_encoding(const char *value, bool doit, GucSource source) * by the numeric oid, followed by a comma, followed by the role name. * This cannot be confused with a plain role name because of the NAMEDATALEN * limit on names, so we can tell whether we're being passed an initial - * role name or a saved/restored value. + * role name or a saved/restored value. (NOTE: we rely on guc.c to have + * properly truncated any incoming value, but not to truncate already-stored + * values. See GUC_IS_NAME processing.) */ extern char *session_authorization_string; /* in guc.c */ -- cgit v1.2.3