From a54dfbee1f1bad431793968918bbb8541dc860a0 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 9 Nov 2020 07:32:09 -0800 Subject: Ignore attempts to \gset into specially treated variables. If an interactive psql session used \gset when querying a compromised server, the attacker could execute arbitrary code as the operating system account running psql. Using a prefix not found among specially treated variables, e.g. every lowercase string, precluded the attack. Fix by issuing a warning and setting no variable for the column in question. Users wanting the old behavior can use a prefix and then a meta-command like "\set HISTSIZE :prefix_HISTSIZE". Back-patch to 9.5 (all supported versions). Reviewed by Robert Haas. Reported by Nick Cleaton. Security: CVE-2020-25696 --- src/bin/psql/variables.h | 1 + 1 file changed, 1 insertion(+) (limited to 'src/bin/psql/variables.h') diff --git a/src/bin/psql/variables.h b/src/bin/psql/variables.h index c071846d9ff..fba4af0c811 100644 --- a/src/bin/psql/variables.h +++ b/src/bin/psql/variables.h @@ -50,6 +50,7 @@ void PrintVariables(VariableSpace space); bool SetVariable(VariableSpace space, const char *name, const char *value); bool SetVariableAssignHook(VariableSpace space, const char *name, VariableAssignHook hook); +bool VariableHasHook(VariableSpace space, const char *name); bool SetVariableBool(VariableSpace space, const char *name); bool DeleteVariable(VariableSpace space, const char *name); -- cgit v1.2.3