diff options
| author | Noah Misch <noah@leadboat.com> | 2018-02-26 07:39:44 -0800 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2018-02-26 07:39:44 -0800 |
| commit | 582edc369cdbd348d68441fc50fa26a84afd0c1a (patch) | |
| tree | 7a501f207f31cfecfd226e9284cb26303f2187b5 /src/bin/pg_basebackup/streamutil.c | |
| parent | 3d2aed664ee8271fd6c721ed0aa10168cda112ea (diff) | |
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
Diffstat (limited to 'src/bin/pg_basebackup/streamutil.c')
| -rw-r--r-- | src/bin/pg_basebackup/streamutil.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/src/bin/pg_basebackup/streamutil.c b/src/bin/pg_basebackup/streamutil.c index c88cede1676..296b1888aad 100644 --- a/src/bin/pg_basebackup/streamutil.c +++ b/src/bin/pg_basebackup/streamutil.c @@ -24,6 +24,7 @@ #include "access/xlog_internal.h" #include "common/fe_memutils.h" #include "datatype/timestamp.h" +#include "fe_utils/connect.h" #include "port/pg_bswap.h" #include "pqexpbuffer.h" @@ -208,6 +209,23 @@ GetConnection(void) if (conn_opts) PQconninfoFree(conn_opts); + /* Set always-secure search path, so malicious users can't get control. */ + if (dbname != NULL) + { + PGresult *res; + + res = PQexec(tmpconn, ALWAYS_SECURE_SEARCH_PATH_SQL); + if (PQresultStatus(res) != PGRES_TUPLES_OK) + { + fprintf(stderr, _("%s: could not clear search_path: %s\n"), + progname, PQerrorMessage(tmpconn)); + PQclear(res); + PQfinish(tmpconn); + exit(1); + } + PQclear(res); + } + /* * Ensure we have the same value of integer_datetimes (now always "on") as * the server we are connecting to. |