From 3855e5b4767b189d4daf6e9a774e4e64be72e0ff Mon Sep 17 00:00:00 2001
From: Noah Misch <noah@leadboat.com>
Date: Mon, 9 Nov 2020 07:32:09 -0800
Subject: Ignore attempts to \gset into specially treated variables.

If an interactive psql session used \gset when querying a compromised
server, the attacker could execute arbitrary code as the operating
system account running psql.  Using a prefix not found among specially
treated variables, e.g. every lowercase string, precluded the attack.
Fix by issuing a warning and setting no variable for the column in
question.  Users wanting the old behavior can use a prefix and then a
meta-command like "\set HISTSIZE :prefix_HISTSIZE".  Back-patch to 9.5
(all supported versions).

Reviewed by Robert Haas.  Reported by Nick Cleaton.

Security: CVE-2020-25696
---
 src/bin/psql/variables.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'src/bin/psql/variables.c')

diff --git a/src/bin/psql/variables.c b/src/bin/psql/variables.c
index 1d2a31cd65d..f32a9854496 100644
--- a/src/bin/psql/variables.c
+++ b/src/bin/psql/variables.c
@@ -362,6 +362,32 @@ SetVariableHooks(VariableSpace space, const char *name,
 		(void) (*ahook) (current->value);
 }
 
+/*
+ * Return true iff the named variable has substitute and/or assign hook
+ * functions.
+ */
+bool
+VariableHasHook(VariableSpace space, const char *name)
+{
+	struct _variable *current;
+
+	Assert(space);
+	Assert(name);
+
+	for (current = space->next; current; current = current->next)
+	{
+		int			cmp = strcmp(current->name, name);
+
+		if (cmp == 0)
+			return (current->substitute_hook != NULL ||
+					current->assign_hook != NULL);
+		if (cmp > 0)
+			break;				/* it's not there */
+	}
+
+	return false;
+}
+
 /*
  * Convenience function to set a variable's value to "on".
  */
-- 
cgit v1.2.3