NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commita796aac

committed

Support explicit placement of the temporary-table schema within search_path.

This is needed to allow a security-definer function to set a truly securevalue of search_path. Without it, a malicious user can use temporary objectsto execute code with the privileges of the security-definer function. Evenpushing the temp schema to the back of the search path is not quite goodenough, because a function or operator at the back of the path might stillcapture control from one nearer the front due to having a more exact datatypematch. Hence, disable searching the temp schema altogether for functions andoperators.Security:CVE-2007-2138

1 parentf085ee0 commita796aacCopy full SHA for a796aac

File tree

6 files changed

+316

-26

lines changed

doc/src/sgml
src
- backend/catalog
  - namespace.c
- test/regress
  - expected
    - temp.out
  - sql
    - temp.sql

6 files changed

+316

-26

lines changed

`‎doc/src/sgml/ref/create_function.sgml`

Lines changed: 49 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_function.sgml,v 1.43 2002/09/21 18:32:54 petere Exp $`
	`2`	`+$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_function.sgml,v 1.43.2.1 2007/04/20 02:38:57 tgl Exp $`
`3`	`3`	`-->`
`4`	`4`
`5`	`5`	`<refentry id="SQL-CREATEFUNCTION">`
`@@ -448,6 +448,54 @@ Point * complex_to_point (Complex *z)`
`448`	`448`	`</para>`
`449`	`449`	`</refsect1>`
`450`	`450`
	`451`	`+ <refsect1 id="sql-createfunction-security">`
	`452`	`+ <title>Writing <literal>SECURITY DEFINER</literal> Functions Safely</title>`
	`453`	`+`
	`454`	`+ <para>`
	`455`	`+ Because a <literal>SECURITY DEFINER</literal> function is executed`
	`456`	`+ with the privileges of the user that created it, care is needed to`
	`457`	`+ ensure that the function cannot be misused. For security,`
	`458`	`+ <xref linkend="guc-search-path"> should be set to exclude any schemas`
	`459`	`+ writable by untrusted users. This prevents`
	`460`	`+ malicious users from creating objects that mask objects used by the`
	`461`	`+ function. Particularly important is in this regard is the`
	`462`	`+ temporary-table schema, which is searched first by default, and`
	`463`	`+ is normally writable by anyone. A secure arrangement can be had`
	`464`	`+ by forcing the temporary schema to be searched last. To do this,`
	`465`	`+ write <literal>pg_temp</> as the last entry in <varname>search_path</>.`
	`466`	`+ This function illustrates safe usage:`
	`467`	`+ </para>`
	`468`	`+`
	`469`	`+<programlisting>`
	`470`	`+CREATE FUNCTION check_password(TEXT, TEXT)`
	`471`	`+RETURNS BOOLEAN AS '`
	`472`	`+DECLARE passed BOOLEAN;`
	`473`	`+ old_path TEXT;`
	`474`	`+BEGIN`
	`475`	`+ -- Save old search_path; notice we must qualify current_setting`
	`476`	`+ -- to ensure we invoke the right function`
	`477`	`+ old_path := pg_catalog.current_setting(''search_path'');`
	`478`	`+`
	`479`	`+ -- Set a secure search_path: trusted schemas, then ''pg_temp''.`
	`480`	`+ -- We set is_local = true so that the old value will be restored`
	`481`	`+ -- in event of an error before we reach the function end.`
	`482`	`+ PERFORM pg_catalog.set_config(''search_path'', ''admin, pg_temp'', true);`
	`483`	`+`
	`484`	`+ -- Do whatever secure work we came for.`
	`485`	`+ SELECT (pwd = $2) INTO passed`
	`486`	`+ FROM pwds`
	`487`	`+ WHERE username = $1;`
	`488`	`+`
	`489`	`+ -- Restore caller''s search_path`
	`490`	`+ PERFORM pg_catalog.set_config(''search_path'', old_path, true);`
	`491`	`+`
	`492`	`+ RETURN passed;`
	`493`	`+END;`
	`494`	`+' LANGUAGE plpgsql SECURITY DEFINER;`
	`495`	`+</programlisting>`
	`496`	`+`
	`497`	`+ </refsect1>`
	`498`	`+`
`451`	`499`
`452`	`500`	`<refsect1 id="sql-createfunction-compat">`
`453`	`501`	`<title>Compatibility</title>`

`‎doc/src/sgml/release.sgml`

Lines changed: 21 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.163.2.41 2007/04/19 13:01:44 momjian Exp $`
	`2`	`+$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.163.2.42 2007/04/20 02:38:57 tgl Exp $`
`3`	`3`	`-->`
`4`	`4`
`5`	`5`	`<appendix id="release">`
`@@ -14,7 +14,8 @@ $Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.163.2.41 2007/04/19 13:01:`
`14`	`14`	`</note>`
`15`	`15`
`16`	`16`	`<para>`
`17`		`- This release contains a variety of fixes from 7.3.18.`
	`17`	`+ This release contains fixes from 7.3.18,`
	`18`	`+ including a security fix.`
`18`	`19`	`</para>`
`19`	`20`
`20`	`21`	`<sect2>`
`@@ -35,7 +36,24 @@ $Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.163.2.41 2007/04/19 13:01:`
`35`	`36`
`36`	`37`	`<listitem>`
`37`	`38`	`<para>`
`38`		`- Fix bug in how <command>VACUUM FULL</> handles <command>UPDATE</> chains (Tom, Pavan Deolasee)`
	`39`	`+ Support explicit placement of the temporary-table schema within`
	`40`	`+ <varname>search_path</>, and disable searching it for functions`
	`41`	`+ and operators (Tom)`
	`42`	`+ </para>`
	`43`	`+ <para>`
	`44`	`+ This is needed to allow a security-definer function to set a`
	`45`	`+ truly secure value of <varname>search_path</>. Without it,`
	`46`	`+ an unprivileged SQL user can use temporary objects to execute code`
	`47`	`+ with the privileges of the security-definer function (CVE-2007-2138).`
	`48`	`+ See <xref linkend="sql-createfunction"`
	`49`	`+ endterm="sql-createfunction-title"> for more information.`
	`50`	`+ </para>`
	`51`	`+ </listitem>`
	`52`	`+`
	`53`	`+ <listitem>`
	`54`	`+ <para>`
	`55`	`+ Fix potential-data-corruption bug in how <command>VACUUM FULL</> handles`
	`56`	`+ <command>UPDATE</> chains (Tom, Pavan Deolasee)`
`39`	`57`	`</para>`
`40`	`58`	`</listitem>`
`41`	`59`

`‎doc/src/sgml/runtime.sgml`

Lines changed: 12 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.8 2006/05/21 20:12:20 tgl Exp $`
	`2`	`+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.9 2007/04/20 02:38:58 tgl Exp $`
`3`	`3`	`-->`
`4`	`4`
`5`	`5`	`<Chapter Id="runtime">`
`@@ -1769,9 +1769,17 @@ dynamic_library_path = '/usr/local/lib/postgresql:/home/my_project/lib:$libdir'`
`1769`	`1769`	`mentioned in the path then it will be searched in the specified`
`1770`	`1770`	`order. If <literal>pg_catalog</> is not in the path then it will`
`1771`	`1771`	`be searched <emphasis>before</> searching any of the path items.`
`1772`		`-It should also be noted that the temporary-table schema,`
`1773`		`-<literal>pg_temp_<replaceable>nnn</></>, is implicitly searched before any of`
`1774`		`-these.`
	`1772`	`+ </para>`
	`1773`	`+`
	`1774`	`+ <para>`
	`1775`	`+ Likewise, the current session's temporary-table schema,`
	`1776`	`+ <literal>pg_temp_<replaceable>nnn</></>, is always searched if it`
	`1777`	`+ exists. It can be explicitly listed in the path by using the`
	`1778`	`+ alias <literal>pg_temp</>. If it is not listed in the path then`
	`1779`	`+ it is searched first (before even <literal>pg_catalog</>). However,`
	`1780`	`+ the temporary schema is only searched for relation (table, view,`
	`1781`	`+ sequence, etc) and data type names. It will never be searched for`
	`1782`	`+ function or operator names.`
`1775`	`1783`	`</para>`
`1776`	`1784`
`1777`	`1785`	`<para>`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita796aac

File tree

6 files changed

6 files changed

`‎doc/src/sgml/ref/create_function.sgml`

`‎doc/src/sgml/release.sgml`

`‎doc/src/sgml/runtime.sgml`

0 commit comments