Ignore attempts to \gset into specially treated variables.

If an interactive psql session used \gset when querying a compromised server, the attacker could execute arbitrary code as the operating system account running psql. Using a prefix not found among specially treated variables, e.g. every lowercase string, precluded the attack. Fix by issuing a warning and setting no variable for the column in question. Users wanting the old behavior can use a prefix and then a meta-command like "\set HISTSIZE :prefix_HISTSIZE". Back-patch to 9.5 (all supported versions). Reviewed by Robert Haas. Reported by Nick Cleaton. Security: CVE-2020-25696
author: Noah Misch <noah@leadboat.com> 2020-11-09 07:32:09 -0800
committer: Noah Misch <noah@leadboat.com> 2020-11-09 07:32:13 -0800
commit: a498db87be103f93856dd515a574b2d67d3c1237 (patch)
tree: ccd9d8ac42f9af53011de7faf8784828256b4e9e /src/bin/psql/common.c
parent: f97ecea1ed7b09c6f1398540a1d72a57eee70c9f (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/src/bin/psql/common.c b/src/bin/psql/common.c
index d04a7943d6a..4e342c180a6 100644
--- a/src/bin/psql/common.c
+++ b/src/bin/psql/common.c
@@ -894,6 +894,13 @@ StoreQueryTuple(const PGresult *result)
 			/* concatenate prefix and column name */
 			varname = psprintf("%s%s", pset.gset_prefix, colname);
 
+			if (VariableHasHook(pset.vars, varname))
+			{
+				psql_error("attempt to \\gset into specially treated variable \"%s\" ignored\n",
+						   varname);
+				continue;
+			}
+
 			if (!PQgetisnull(result, 0, i))
 				value = PQgetvalue(result, 0, i);
 			else
author	Noah Misch <noah@leadboat.com>	2020-11-09 07:32:09 -0800
committer	Noah Misch <noah@leadboat.com>	2020-11-09 07:32:13 -0800
commit	a498db87be103f93856dd515a574b2d67d3c1237 (patch)
tree	ccd9d8ac42f9af53011de7faf8784828256b4e9e /src/bin/psql/common.c
parent	f97ecea1ed7b09c6f1398540a1d72a57eee70c9f (diff)