From 64a71062e0e2fd7eb1eddd3cb4138c554fb29e4c Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 10 Aug 2020 09:22:54 -0700 Subject: Empty search_path in logical replication apply worker and walsender. This is like CVE-2018-1058 commit 582edc369cdbd348d68441fc50fa26a84afd0c1a. Today, a malicious user of a publisher or subscriber database can invoke arbitrary SQL functions under an identity running replication, often a superuser. This fix may cause "does not exist" or "no schema has been selected to create in" errors in a replication process. After upgrading, consider watching server logs for these errors. Objects accruing schema qualification in the wake of the earlier commit are unlikely to need further correction. Back-patch to v10, which introduced logical replication. Security: CVE-2020-14349 --- src/backend/replication/logical/worker.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/backend/replication/logical/worker.c') diff --git a/src/backend/replication/logical/worker.c b/src/backend/replication/logical/worker.c index 86e2ab08bf2..ba209f55ead 100644 --- a/src/backend/replication/logical/worker.c +++ b/src/backend/replication/logical/worker.c @@ -1643,6 +1643,12 @@ ApplyWorkerMain(Datum main_arg) MyLogicalRepWorker->userid, 0); + /* + * Set always-secure search path, so malicious users can't redirect user + * code (e.g. pg_index.indexprs). + */ + SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE); + /* Load the subscription into persistent memory context. */ ApplyContext = AllocSetContextCreate(TopMemoryContext, "ApplyContext", -- cgit v1.2.3