diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/ref/create_function.sgml | 50 | ||||
| -rw-r--r-- | doc/src/sgml/release.sgml | 24 | ||||
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 16 |
3 files changed, 82 insertions, 8 deletions
diff --git a/doc/src/sgml/ref/create_function.sgml b/doc/src/sgml/ref/create_function.sgml index 6c737f26141..cc4a138ae82 100644 --- a/doc/src/sgml/ref/create_function.sgml +++ b/doc/src/sgml/ref/create_function.sgml @@ -1,5 +1,5 @@ <!-- -$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_function.sgml,v 1.43 2002/09/21 18:32:54 petere Exp $ +$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_function.sgml,v 1.43.2.1 2007/04/20 02:38:57 tgl Exp $ --> <refentry id="SQL-CREATEFUNCTION"> @@ -448,6 +448,54 @@ Point * complex_to_point (Complex *z) </para> </refsect1> + <refsect1 id="sql-createfunction-security"> + <title>Writing <literal>SECURITY DEFINER</literal> Functions Safely</title> + + <para> + Because a <literal>SECURITY DEFINER</literal> function is executed + with the privileges of the user that created it, care is needed to + ensure that the function cannot be misused. For security, + <xref linkend="guc-search-path"> should be set to exclude any schemas + writable by untrusted users. This prevents + malicious users from creating objects that mask objects used by the + function. Particularly important is in this regard is the + temporary-table schema, which is searched first by default, and + is normally writable by anyone. A secure arrangement can be had + by forcing the temporary schema to be searched last. To do this, + write <literal>pg_temp</> as the last entry in <varname>search_path</>. + This function illustrates safe usage: + </para> + +<programlisting> +CREATE FUNCTION check_password(TEXT, TEXT) +RETURNS BOOLEAN AS ' +DECLARE passed BOOLEAN; + old_path TEXT; +BEGIN + -- Save old search_path; notice we must qualify current_setting + -- to ensure we invoke the right function + old_path := pg_catalog.current_setting(''search_path''); + + -- Set a secure search_path: trusted schemas, then ''pg_temp''. + -- We set is_local = true so that the old value will be restored + -- in event of an error before we reach the function end. + PERFORM pg_catalog.set_config(''search_path'', ''admin, pg_temp'', true); + + -- Do whatever secure work we came for. + SELECT (pwd = $2) INTO passed + FROM pwds + WHERE username = $1; + + -- Restore caller''s search_path + PERFORM pg_catalog.set_config(''search_path'', old_path, true); + + RETURN passed; +END; +' LANGUAGE plpgsql SECURITY DEFINER; +</programlisting> + + </refsect1> + <refsect1 id="sql-createfunction-compat"> <title>Compatibility</title> diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml index 10177e0ca93..e252be51a58 100644 --- a/doc/src/sgml/release.sgml +++ b/doc/src/sgml/release.sgml @@ -1,5 +1,5 @@ <!-- -$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.163.2.41 2007/04/19 13:01:44 momjian Exp $ +$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.163.2.42 2007/04/20 02:38:57 tgl Exp $ --> <appendix id="release"> @@ -14,7 +14,8 @@ $Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.163.2.41 2007/04/19 13:01: </note> <para> - This release contains a variety of fixes from 7.3.18. + This release contains fixes from 7.3.18, + including a security fix. </para> <sect2> @@ -35,7 +36,24 @@ $Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.163.2.41 2007/04/19 13:01: <listitem> <para> - Fix bug in how <command>VACUUM FULL</> handles <command>UPDATE</> chains (Tom, Pavan Deolasee) + Support explicit placement of the temporary-table schema within + <varname>search_path</>, and disable searching it for functions + and operators (Tom) + </para> + <para> + This is needed to allow a security-definer function to set a + truly secure value of <varname>search_path</>. Without it, + an unprivileged SQL user can use temporary objects to execute code + with the privileges of the security-definer function (CVE-2007-2138). + See <xref linkend="sql-createfunction" + endterm="sql-createfunction-title"> for more information. + </para> + </listitem> + + <listitem> + <para> + Fix potential-data-corruption bug in how <command>VACUUM FULL</> handles + <command>UPDATE</> chains (Tom, Pavan Deolasee) </para> </listitem> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 718e90d8f85..a4beea16c5f 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ <!-- -$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.8 2006/05/21 20:12:20 tgl Exp $ +$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.9 2007/04/20 02:38:58 tgl Exp $ --> <Chapter Id="runtime"> @@ -1769,9 +1769,17 @@ dynamic_library_path = '/usr/local/lib/postgresql:/home/my_project/lib:$libdir' mentioned in the path then it will be searched in the specified order. If <literal>pg_catalog</> is not in the path then it will be searched <emphasis>before</> searching any of the path items. - It should also be noted that the temporary-table schema, - <literal>pg_temp_<replaceable>nnn</></>, is implicitly searched before any of - these. + </para> + + <para> + Likewise, the current session's temporary-table schema, + <literal>pg_temp_<replaceable>nnn</></>, is always searched if it + exists. It can be explicitly listed in the path by using the + alias <literal>pg_temp</>. If it is not listed in the path then + it is searched first (before even <literal>pg_catalog</>). However, + the temporary schema is only searched for relation (table, view, + sequence, etc) and data type names. It will never be searched for + function or operator names. </para> <para> |