From 3855e5b4767b189d4daf6e9a774e4e64be72e0ff Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 9 Nov 2020 07:32:09 -0800 Subject: Ignore attempts to \gset into specially treated variables. If an interactive psql session used \gset when querying a compromised server, the attacker could execute arbitrary code as the operating system account running psql. Using a prefix not found among specially treated variables, e.g. every lowercase string, precluded the attack. Fix by issuing a warning and setting no variable for the column in question. Users wanting the old behavior can use a prefix and then a meta-command like "\set HISTSIZE :prefix_HISTSIZE". Back-patch to 9.5 (all supported versions). Reviewed by Robert Haas. Reported by Nick Cleaton. Security: CVE-2020-25696 --- src/bin/psql/common.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src/bin/psql/common.c') diff --git a/src/bin/psql/common.c b/src/bin/psql/common.c index 4b2679360fc..8cb924a861e 100644 --- a/src/bin/psql/common.c +++ b/src/bin/psql/common.c @@ -921,6 +921,13 @@ StoreQueryTuple(const PGresult *result) /* concatenate prefix and column name */ varname = psprintf("%s%s", pset.gset_prefix, colname); + if (VariableHasHook(pset.vars, varname)) + { + pg_log_warning("attempt to \\gset into specially treated variable \"%s\" ignored", + varname); + continue; + } + if (!PQgetisnull(result, 0, i)) value = PQgetvalue(result, 0, i); else -- cgit v1.2.3