blob: 1fc94259a0b114abb5859506c7770f9919c83a13 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
# Copyright (c) 2021-2025, PostgreSQL Global Development Group
# src/pl/plperl/plc_trusted.pl
#<<< protect next line from perltidy so perlcritic annotation works
package PostgreSQL::InServer::safe; ## no critic (RequireFilenameMatchesPackage)
#>>>
# Load widely useful pragmas into plperl to make them available.
#
# SECURITY RISKS:
#
# Since these modules are free to compile unsafe opcodes they must
# be trusted to now allow any code containing unsafe opcodes to be abused.
# That's much harder than it sounds.
#
# Be aware that perl provides a wide variety of ways to subvert
# pre-compiled code. For some examples, see this presentation:
# http://www.slideshare.net/cdman83/barely-legal-xxx-perl-presentation
#
# If in ANY doubt about a module, or ANY of the modules down the chain of
# dependencies it loads, then DO NOT add it to this list.
#
# To check if any of these modules use "unsafe" opcodes you can compile
# plperl with the PLPERL_ENABLE_OPMASK_EARLY macro defined. See plperl.c
require strict;
require Carp;
require Carp::Heavy;
require warnings;
require feature if $] >= 5.010000;
#<<< protect next line from perltidy so perlcritic annotation works
package PostgreSQL::InServer::WarnEnv; ## no critic (RequireFilenameMatchesPackage)
#>>>
use strict;
use warnings;
use Tie::Hash;
our @ISA = qw(Tie::StdHash);
sub STORE { warn "attempted alteration of \$ENV{$_[1]}"; }
sub DELETE { warn "attempted deletion of \$ENV{$_[1]}"; }
sub CLEAR { warn "attempted clearance of ENV hash"; }
# Remove magic property of %ENV. Changes to this will now not be reflected in
# the process environment.
*main::ENV = {%ENV};
# Block %ENV changes from trusted PL/Perl, and warn. We changed %ENV to just a
# normal hash, yet the application may be expecting the usual Perl %ENV
# magic. Blocking and warning avoids silent application breakage. The user can
# untie or otherwise disable this, e.g. if the lost mutation is unimportant
# and modifying the code to stop that mutation would be onerous.
tie %main::ENV, 'PostgreSQL::InServer::WarnEnv', %ENV or die $!;
|
