NotificationsYou must be signed in to change notification settings
Fork0
Star0

Commit91f3ffc

committed

Empty search_path in Autovacuum and non-psql/pgbench clients.

This makes the client programs behave as documented regardless of theconnect-time search_path and regardless of user-created objects. Today,a malicious user with CREATE permission on a search_path schema can takecontrol of certain of these clients' queries and invoke arbitrary SQLfunctions under the client identity, often a superuser. This isexploitable in the default configuration, where all users have CREATEprivilege on schema "public".This changes behavior of user-defined code stored in the database, likepg_index.indexprs and pg_extension_config_dump(). If they reach codebearing unqualified names, "does not exist" or "no schema has beenselected to create in" errors might appear. Users may fix such errorsby schema-qualifying affected names. After upgrading, consider watchingserver logs for these errors.The --table arguments of src/bin/scripts clients have been lax; forexample, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. Thatnow fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" stillperforms a checkpoint.Back-patch to 9.3 (all supported versions).Reviewed by Tom Lane, though this fix strategy was not his first choice.Reported by Arseniy Sharoglazov.Security:CVE-2018-1058

1 parenta8fc37a commit91f3ffcCopy full SHA for 91f3ffc

File tree

28 files changed

+360

-89

lines changed

contrib
- oid2name
  - oid2name.c
- vacuumlo
  - vacuumlo.c
src
- backend/postmaster
  - autovacuum.c
- bin
  - pg_basebackup
    - streamutil.c
  - pg_dump
  - pg_rewind
    - libpq_fetch.c
  - pg_upgrade
    - server.c
  - scripts
- include
  - Makefile
  - fe_utils
    - connect.h
- tools/findoidjoins
  - findoidjoins.c

28 files changed

+360

-89

lines changed

`‎contrib/oid2name/oid2name.c‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`	`*/`
`10`	`10`	`#include"postgres_fe.h"`
`11`	`11`
	`12`	`+#include"fe_utils/connect.h"`
`12`	`13`	`#include"libpq-fe.h"`
`13`	`14`	`#include"pg_getopt.h"`
`14`	`15`
`@@ -263,6 +264,7 @@ sql_conn(struct options * my_opts)`
`263`	`264`	`PGconn*conn;`
`264`	`265`	`char*password=NULL;`
`265`	`266`	`boolnew_pass;`
	`267`	`+PGresult*res;`
`266`	`268`
`267`	`269`	`/*`
`268`	`270`	`* Start the connection. Loop until we have a password if requested by`
`@@ -322,6 +324,17 @@ sql_conn(struct options * my_opts)`
`322`	`324`	`exit(1);`
`323`	`325`	`}`
`324`	`326`
	`327`	`+res=PQexec(conn,ALWAYS_SECURE_SEARCH_PATH_SQL);`
	`328`	`+if (PQresultStatus(res)!=PGRES_TUPLES_OK)`
	`329`	`+{`
	`330`	`+fprintf(stderr,"oid2name: could not clear search_path: %s\n",`
	`331`	`+PQerrorMessage(conn));`
	`332`	`+PQclear(res);`
	`333`	`+PQfinish(conn);`
	`334`	`+exit(-1);`
	`335`	`+}`
	`336`	`+PQclear(res);`
	`337`	`+`
`325`	`338`	`/* return the conn if good */`
`326`	`339`	`returnconn;`
`327`	`340`	`}`

`‎contrib/vacuumlo/vacuumlo.c‎`

Lines changed: 3 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@`
`21`	`21`	`#include<termios.h>`
`22`	`22`	`#endif`
`23`	`23`
	`24`	`+#include"fe_utils/connect.h"`
`24`	`25`	`#include"libpq-fe.h"`
`25`	`26`	`#include"pg_getopt.h"`
`26`	`27`
`@@ -135,11 +136,8 @@ vacuumlo(const char database, const struct _param param)`
`135`	`136`	`fprintf(stdout,"Test run: no large objects will be removed!\n");`
`136`	`137`	`}`
`137`	`138`
`138`		`-/*`
`139`		`- * Don't get fooled by any non-system catalogs`
`140`		`- */`
`141`		`-res=PQexec(conn,"SET search_path = pg_catalog");`
`142`		`-if (PQresultStatus(res)!=PGRES_COMMAND_OK)`
	`139`	`+res=PQexec(conn,ALWAYS_SECURE_SEARCH_PATH_SQL);`
	`140`	`+if (PQresultStatus(res)!=PGRES_TUPLES_OK)`
`143`	`141`	`{`
`144`	`142`	`fprintf(stderr,"Failed to set search_path:\n");`
`145`	`143`	`fprintf(stderr,"%s",PQerrorMessage(conn));`

`‎src/backend/postmaster/autovacuum.c‎`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -530,6 +530,12 @@ AutoVacLauncherMain(int argc, char *argv[])`
`530`	`530`	`/* must unblock signals before calling rebuild_database_list */`
`531`	`531`	`PG_SETMASK(&UnBlockSig);`
`532`	`532`
	`533`	`+/*`
	`534`	`+ * Set always-secure search path. Launcher doesn't connect to a database,`
	`535`	`+ * so this has no effect.`
	`536`	`+ */`
	`537`	`+SetConfigOption("search_path","",PGC_SUSET,PGC_S_OVERRIDE);`
	`538`	`+`
`533`	`539`	`/*`
`534`	`540`	`* Force zero_damaged_pages OFF in the autovac process, even if it is set`
`535`	`541`	`* in postgresql.conf. We don't really want such a dangerous option being`
`@@ -1543,6 +1549,14 @@ AutoVacWorkerMain(int argc, char *argv[])`
`1543`	`1549`
`1544`	`1550`	`PG_SETMASK(&UnBlockSig);`
`1545`	`1551`
	`1552`	`+/*`
	`1553`	`+ * Set always-secure search path, so malicious users can't redirect user`
	`1554`	`+ * code (e.g. pg_index.indexprs). (That code runs in a`
	`1555`	`+ * SECURITY_RESTRICTED_OPERATION sandbox, so malicious users could not`
	`1556`	`+ * take control of the entire autovacuum worker in any case.)`
	`1557`	`+ */`
	`1558`	`+SetConfigOption("search_path","",PGC_SUSET,PGC_S_OVERRIDE);`
	`1559`	`+`
`1546`	`1560`	`/*`
`1547`	`1561`	`* Force zero_damaged_pages OFF in the autovac process, even if it is set`
`1548`	`1562`	`* in postgresql.conf. We don't really want such a dangerous option being`

`‎src/bin/pg_basebackup/streamutil.c‎`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@`
`30`	`30`	`#include"pqexpbuffer.h"`
`31`	`31`	`#include"common/fe_memutils.h"`
`32`	`32`	`#include"datatype/timestamp.h"`
	`33`	`+#include"fe_utils/connect.h"`
`33`	`34`
`34`	`35`	`#defineERRCODE_DUPLICATE_OBJECT "42710"`
`35`	`36`
`@@ -208,6 +209,23 @@ GetConnection(void)`
`208`	`209`	`if (conn_opts)`
`209`	`210`	`PQconninfoFree(conn_opts);`
`210`	`211`
	`212`	`+/* Set always-secure search path, so malicious users can't get control. */`
	`213`	`+if (dbname!=NULL)`
	`214`	`+{`
	`215`	`+PGresult*res;`
	`216`	`+`
	`217`	`+res=PQexec(tmpconn,ALWAYS_SECURE_SEARCH_PATH_SQL);`
	`218`	`+if (PQresultStatus(res)!=PGRES_TUPLES_OK)`
	`219`	`+{`
	`220`	`+fprintf(stderr,_("%s: could not clear search_path: %s\n"),`
	`221`	`+progname,PQerrorMessage(tmpconn));`
	`222`	`+PQclear(res);`
	`223`	`+PQfinish(tmpconn);`
	`224`	`+exit(1);`
	`225`	`+}`
	`226`	`+PQclear(res);`
	`227`	`+}`
	`228`	`+`
`211`	`229`	`/*`
`212`	`230`	`* Ensure we have the same value of integer timestamps as the server we`
`213`	`231`	`* are connecting to.`

`‎src/bin/pg_dump/dumputils.c‎`

Lines changed: 10 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1376,8 +1376,9 @@ processSQLNamePattern(PGconn conn, PQExpBuffer buf, const char pattern,`
`1376`	`1376`	`}`
`1377`	`1377`
`1378`	`1378`	`/*`
`1379`		`- * Now decide what we need to emit. Note there will be a leading "^(" in`
`1380`		`- * the patterns in any case.`
	`1379`	`+ * Now decide what we need to emit. We may run under a hostile`
	`1380`	`+ * search_path, so qualify EVERY name. Note there will be a leading "^("`
	`1381`	`+ * in the patterns in any case.`
`1381`	`1382`	`*/`
`1382`	`1383`	`if (namebuf.len>2)`
`1383`	`1384`	`{`
`@@ -1390,15 +1391,18 @@ processSQLNamePattern(PGconn conn, PQExpBuffer buf, const char pattern,`
`1390`	`1391`	`WHEREAND();`
`1391`	`1392`	`if (altnamevar)`
`1392`	`1393`	`{`
`1393`		`-appendPQExpBuffer(buf,"(%s ~ ",namevar);`
	`1394`	`+appendPQExpBuffer(buf,`
	`1395`	`+"(%s OPERATOR(pg_catalog.~) ",namevar);`
`1394`	`1396`	`appendStringLiteralConn(buf,namebuf.data,conn);`
`1395`		`-appendPQExpBuffer(buf,"\n OR %s ~ ",altnamevar);`
	`1397`	`+appendPQExpBuffer(buf,`
	`1398`	`+"\n OR %s OPERATOR(pg_catalog.~) ",`
	`1399`	`+altnamevar);`
`1396`	`1400`	`appendStringLiteralConn(buf,namebuf.data,conn);`
`1397`	`1401`	`appendPQExpBufferStr(buf,")\n");`
`1398`	`1402`	`}`
`1399`	`1403`	`else`
`1400`	`1404`	`{`
`1401`		`-appendPQExpBuffer(buf,"%s~ ",namevar);`
	`1405`	`+appendPQExpBuffer(buf,"%sOPERATOR(pg_catalog.~) ",namevar);`
`1402`	`1406`	`appendStringLiteralConn(buf,namebuf.data,conn);`
`1403`	`1407`	`appendPQExpBufferChar(buf,'\n');`
`1404`	`1408`	`}`
`@@ -1414,7 +1418,7 @@ processSQLNamePattern(PGconn conn, PQExpBuffer buf, const char pattern,`
`1414`	`1418`	`if (strcmp(schemabuf.data,"^(.*)$")!=0&&schemavar)`
`1415`	`1419`	`{`
`1416`	`1420`	`WHEREAND();`
`1417`		`-appendPQExpBuffer(buf,"%s~ ",schemavar);`
	`1421`	`+appendPQExpBuffer(buf,"%sOPERATOR(pg_catalog.~) ",schemavar);`
`1418`	`1422`	`appendStringLiteralConn(buf,schemabuf.data,conn);`
`1419`	`1423`	`appendPQExpBufferChar(buf,'\n');`
`1420`	`1424`	`}`

`‎src/bin/pg_dump/pg_backup_db.c‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`#include"postgres_fe.h"`
`13`	`13`
`14`	`14`	`#include"dumputils.h"`
	`15`	`+#include"fe_utils/connect.h"`
`15`	`16`	`#include"parallel.h"`
`16`	`17`	`#include"pg_backup_archiver.h"`
`17`	`18`	`#include"pg_backup_db.h"`
`@@ -113,6 +114,11 @@ ReconnectToServer(ArchiveHandle AH, const char dbname, const char *username)`
`113`	`114`	`PQfinish(AH->connection);`
`114`	`115`	`AH->connection=newConn;`
`115`	`116`
	`117`	`+/* Start strict; later phases may override this. */`
	`118`	`+if (PQserverVersion(AH->connection) >=70300)`
	`119`	`+PQclear(ExecuteSqlQueryForSingleRow((Archive*)AH,`
	`120`	`+ALWAYS_SECURE_SEARCH_PATH_SQL));`
	`121`	`+`
`116`	`122`	`return1;`
`117`	`123`	`}`
`118`	`124`
`@@ -321,6 +327,11 @@ ConnectDatabase(Archive *AHX,`
`321`	`327`	`PQdb(AH->connection) ?PQdb(AH->connection) :"",`
`322`	`328`	`PQerrorMessage(AH->connection));`
`323`	`329`
	`330`	`+/* Start strict; later phases may override this. */`
	`331`	`+if (PQserverVersion(AH->connection) >=70300)`
	`332`	`+PQclear(ExecuteSqlQueryForSingleRow((Archive*)AH,`
	`333`	`+ALWAYS_SECURE_SEARCH_PATH_SQL));`
	`334`	`+`
`324`	`335`	`/*`
`325`	`336`	`* We want to remember connection's actual password, whether or not we got`
`326`	`337`	`* it by prompting. So we don't just store the password variable.`

`‎src/bin/pg_dump/pg_dump.c‎`

Lines changed: 15 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@`
`60`	`60`	`#include"pg_backup_db.h"`
`61`	`61`	`#include"pg_backup_utils.h"`
`62`	`62`	`#include"pg_dump.h"`
	`63`	`+#include"fe_utils/connect.h"`
`63`	`64`
`64`	`65`
`65`	`66`	`typedefstruct`
`@@ -965,6 +966,9 @@ setup_connection(Archive AH, const char dumpencoding,`
`965`	`966`	`PGconn*conn=GetConnection(AH);`
`966`	`967`	`constchar*std_strings;`
`967`	`968`
	`969`	`+if (AH->remoteVersion >=70300)`
	`970`	`+PQclear(ExecuteSqlQueryForSingleRow(AH,ALWAYS_SECURE_SEARCH_PATH_SQL));`
	`971`	`+`
`968`	`972`	`/*`
`969`	`973`	`* Set the client encoding if requested.`
`970`	`974`	`*/`
`@@ -1257,21 +1261,30 @@ expand_table_name_patterns(Archive *fout,`
`1257`	`1261`
`1258`	`1262`	`for (cell=patterns->head;cell;cell=cell->next)`
`1259`	`1263`	`{`
	`1264`	`+/*`
	`1265`	`+ * Query must remain ABSOLUTELY devoid of unqualified names. This`
	`1266`	`+ * would be unnecessary given a pg_table_is_visible() variant taking a`
	`1267`	`+ * search_path argument.`
	`1268`	`+ */`
`1260`	`1269`	`if (cell!=patterns->head)`
`1261`	`1270`	`appendPQExpBufferStr(query,"UNION ALL\n");`
`1262`	`1271`	`appendPQExpBuffer(query,`
`1263`	`1272`	`"SELECT c.oid"`
`1264`	`1273`	`"\nFROM pg_catalog.pg_class c"`
`1265`		`-"\n LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace"`
`1266`		`-"\nWHERE c.relkind in ('%c', '%c', '%c', '%c', '%c')\n",`
	`1274`	`+"\n LEFT JOIN pg_catalog.pg_namespace n"`
	`1275`	`+"\n ON n.oid OPERATOR(pg_catalog.=) c.relnamespace"`
	`1276`	`+"\nWHERE c.relkind OPERATOR(pg_catalog.=) ANY"`
	`1277`	`+"\n (array['%c', '%c', '%c', '%c', '%c'])\n",`
`1267`	`1278`	`RELKIND_RELATION,RELKIND_SEQUENCE,RELKIND_VIEW,`
`1268`	`1279`	`RELKIND_MATVIEW,RELKIND_FOREIGN_TABLE);`
`1269`	`1280`	`processSQLNamePattern(GetConnection(fout),query,cell->val, true,`
`1270`	`1281`	`false,"n.nspname","c.relname",NULL,`
`1271`	`1282`	`"pg_catalog.pg_table_is_visible(c.oid)");`
`1272`	`1283`	`}`
`1273`	`1284`
	`1285`	`+ExecuteSqlStatement(fout,"RESET search_path");`
`1274`	`1286`	`res=ExecuteSqlQuery(fout,query->data,PGRES_TUPLES_OK);`
	`1287`	`+PQclear(ExecuteSqlQueryForSingleRow(fout,ALWAYS_SECURE_SEARCH_PATH_SQL));`
`1275`	`1288`
`1276`	`1289`	`for (i=0;i<PQntuples(res);i++)`
`1277`	`1290`	`{`

`‎src/bin/pg_dump/pg_dumpall.c‎`

Lines changed: 2 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@`
`26`	`26`
`27`	`27`	`#include"dumputils.h"`
`28`	`28`	`#include"pg_backup.h"`
	`29`	`+#include"fe_utils/connect.h"`
`29`	`30`
`30`	`31`	`/* version string we expect back from pg_dump */`
`31`	`32`	`#definePGDUMP_VERSIONSTR "pg_dump (PostgreSQL) " PG_VERSION "\n"`
`@@ -1983,12 +1984,8 @@ connectDatabase(const char dbname, const char connection_string,`
`1983`	`1984`	`exit_nicely(1);`
`1984`	`1985`	`}`
`1985`	`1986`
`1986`		`-/*`
`1987`		`- * On 7.3 and later, make sure we are not fooled by non-system schemas in`
`1988`		`- * the search path.`
`1989`		`- */`
`1990`	`1987`	`if (server_version >=70300)`
`1991`		`-executeCommand(conn,"SET search_path = pg_catalog");`
	`1988`	`+PQclear(executeQuery(conn,ALWAYS_SECURE_SEARCH_PATH_SQL));`
`1992`	`1989`
`1993`	`1990`	`returnconn;`
`1994`	`1991`	`}`

`‎src/bin/pg_rewind/libpq_fetch.c‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@`
`29`	`29`	`#include"libpq-fe.h"`
`30`	`30`	`#include"catalog/catalog.h"`
`31`	`31`	`#include"catalog/pg_type.h"`
	`32`	`+#include"fe_utils/connect.h"`
`32`	`33`
`33`	`34`	`staticPGconn*conn=NULL;`
`34`	`35`
`@@ -58,6 +59,12 @@ libpqConnect(const char *connstr)`
`58`	`59`
`59`	`60`	`pg_log(PG_PROGRESS,"connected to server\n");`
`60`	`61`
	`62`	`+res=PQexec(conn,ALWAYS_SECURE_SEARCH_PATH_SQL);`
	`63`	`+if (PQresultStatus(res)!=PGRES_TUPLES_OK)`
	`64`	`+pg_fatal("could not clear search_path: %s",`
	`65`	`+PQresultErrorMessage(res));`
	`66`	`+PQclear(res);`
	`67`	`+`
`61`	`68`	`/*`
`62`	`69`	`* Check that the server is not in hot standby mode. There is no`
`63`	`70`	`* fundamental reason that couldn't be made to work, but it doesn't`

`‎src/bin/pg_upgrade/server.c‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`
`10`	`10`	`#include"postgres_fe.h"`
`11`	`11`
	`12`	`+#include"fe_utils/connect.h"`
`12`	`13`	`#include"pg_upgrade.h"`
`13`	`14`
`14`	`15`
`@@ -39,6 +40,8 @@ connectToServer(ClusterInfo cluster, const char db_name)`
`39`	`40`	`exit(1);`
`40`	`41`	`}`
`41`	`42`
	`43`	`+PQclear(executeQueryOrDie(conn,ALWAYS_SECURE_SEARCH_PATH_SQL));`
	`44`	`+`
`42`	`45`	`returnconn;`
`43`	`46`	`}`
`44`	`47`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit91f3ffc

File tree

28 files changed

28 files changed

`‎contrib/oid2name/oid2name.c‎`

`‎contrib/vacuumlo/vacuumlo.c‎`

`‎src/backend/postmaster/autovacuum.c‎`

`‎src/bin/pg_basebackup/streamutil.c‎`

`‎src/bin/pg_dump/dumputils.c‎`

`‎src/bin/pg_dump/pg_backup_db.c‎`

`‎src/bin/pg_dump/pg_dump.c‎`

`‎src/bin/pg_dump/pg_dumpall.c‎`

`‎src/bin/pg_rewind/libpq_fetch.c‎`

`‎src/bin/pg_upgrade/server.c‎`

0 commit comments