Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit384cf6d

Browse files
authored
1 parent8846e19 commit384cf6d

File tree

7 files changed

+188
-15
lines changed

7 files changed

+188
-15
lines changed

‎src/backup.c‎

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -928,7 +928,7 @@ check_server_version(PGconn *conn, PGNodeInfo *nodeInfo)
928928
nodeInfo->server_version_str,"9.6");
929929

930930
if (nodeInfo->pgpro_support)
931-
res=pgut_execute(conn,"SELECT pgpro_edition()",0,NULL);
931+
res=pgut_execute(conn,"SELECTpg_catalog.pgpro_edition()",0,NULL);
932932

933933
/*
934934
* Check major version of connected PostgreSQL and major version of
@@ -1120,7 +1120,7 @@ pgpro_support(PGconn *conn)
11201120
PGresult*res;
11211121

11221122
res=pgut_execute(conn,
1123-
"SELECT proname FROM pg_proc WHERE proname='pgpro_edition'",
1123+
"SELECT proname FROMpg_catalog.pg_proc WHERE proname='pgpro_edition'::name AND pronamespace='pg_catalog'::regnamespace::oid",
11241124
0,NULL);
11251125

11261126
if (PQresultStatus(res)==PGRES_TUPLES_OK&&
@@ -1159,7 +1159,7 @@ get_database_map(PGconn *conn)
11591159
*/
11601160
res=pgut_execute_extended(conn,
11611161
"SELECT oid, datname FROM pg_catalog.pg_database "
1162-
"WHERE datname NOT IN ('template1', 'template0')",
1162+
"WHERE datname NOT IN ('template1'::name, 'template0'::name)",
11631163
0,NULL, true, true);
11641164

11651165
/* Don't error out, simply return NULL. See comment above. */

‎src/checkdb.c‎

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -357,10 +357,10 @@ get_index_list(const char *dbname, bool first_db_with_amcheck,
357357

358358
res=pgut_execute(db_conn,"SELECT "
359359
"extname, nspname, extversion "
360-
"FROM pg_namespace n "
361-
"JOIN pg_extension e "
360+
"FROMpg_catalog.pg_namespace n "
361+
"JOINpg_catalog.pg_extension e "
362362
"ON n.oid=e.extnamespace "
363-
"WHERE e.extname IN ('amcheck', 'amcheck_next') "
363+
"WHERE e.extname IN ('amcheck'::name, 'amcheck_next'::name) "
364364
"ORDER BY extversion DESC "
365365
"LIMIT 1",
366366
0,NULL);
@@ -556,8 +556,8 @@ do_amcheck(ConnectionOptions conn_opt, PGconn *conn)
556556

557557
res_db=pgut_execute(conn,
558558
"SELECT datname, oid, dattablespace "
559-
"FROM pg_database "
560-
"WHERE datname NOT IN ('template0', 'template1')",
559+
"FROMpg_catalog.pg_database "
560+
"WHERE datname NOT IN ('template0'::name, 'template1'::name)",
561561
0,NULL);
562562

563563
/* we don't need this connection anymore */

‎src/ptrack.c‎

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@ get_ptrack_version(PGconn *backup_conn, PGNodeInfo *nodeInfo)
169169

170170
res_db=pgut_execute(backup_conn,
171171
"SELECT extnamespace::regnamespace, extversion "
172-
"FROM pg_catalog.pg_extension WHERE extname = 'ptrack'",
172+
"FROM pg_catalog.pg_extension WHERE extname = 'ptrack'::name",
173173
0,NULL);
174174

175175
if (PQntuples(res_db)>0)
@@ -187,7 +187,7 @@ get_ptrack_version(PGconn *backup_conn, PGNodeInfo *nodeInfo)
187187
/* ptrack 1.x is supported, save version */
188188
PQclear(res_db);
189189
res_db=pgut_execute(backup_conn,
190-
"SELECT proname FROM pg_proc WHERE proname='ptrack_version'",
190+
"SELECT proname FROMpg_catalog.pg_proc WHERE proname='ptrack_version'::name",
191191
0,NULL);
192192

193193
if (PQntuples(res_db)==0)
@@ -285,7 +285,7 @@ pg_ptrack_clear(PGconn *backup_conn, int ptrack_version_num)
285285

286286
params[0]=palloc(64);
287287
params[1]=palloc(64);
288-
res_db=pgut_execute(backup_conn,"SELECT datname, oid, dattablespace FROM pg_database",
288+
res_db=pgut_execute(backup_conn,"SELECT datname, oid, dattablespace FROMpg_catalog.pg_database",
289289
0,NULL);
290290

291291
for(i=0;i<PQntuples(res_db);i++)
@@ -335,7 +335,7 @@ pg_ptrack_get_and_clear_db(Oid dbOid, Oid tblspcOid, PGconn *backup_conn)
335335

336336
sprintf(params[0],"%i",dbOid);
337337
res_db=pgut_execute(backup_conn,
338-
"SELECT datname FROM pg_database WHERE oid=$1",
338+
"SELECT datname FROMpg_catalog.pg_database WHERE oid=$1",
339339
1, (constchar**)params);
340340
/*
341341
* If database is not found, it's not an error.

‎src/util.c‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@ get_current_timeline(PGconn *conn)
169169
char*val;
170170

171171
res=pgut_execute_extended(conn,
172-
"SELECT timeline_id FROM pg_control_checkpoint()",0,NULL, true, true);
172+
"SELECT timeline_id FROMpg_catalog.pg_control_checkpoint()",0,NULL, true, true);
173173

174174
if (PQresultStatus(res)==PGRES_TUPLES_OK)
175175
val=PQgetvalue(res,0,0);

‎src/utils/pgut.c‎

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,12 @@
2020
#include"common/string.h"
2121
#endif
2222

23+
#ifPG_VERSION_NUM >=100000
24+
#include"common/connect.h"
25+
#else
26+
#include"fe_utils/connect.h"
27+
#endif
28+
2329
#include<time.h>
2430

2531
#include"pgut.h"
@@ -257,7 +263,7 @@ pgut_connect(const char *host, const char *port,
257263
pthread_lock(&atexit_callback_disconnect_mutex);
258264
pgut_atexit_push(pgut_disconnect_callback,conn);
259265
pthread_mutex_unlock(&atexit_callback_disconnect_mutex);
260-
returnconn;
266+
break;
261267
}
262268

263269
if (conn&&PQconnectionNeedsPassword(conn)&&prompt_password)
@@ -279,6 +285,28 @@ pgut_connect(const char *host, const char *port,
279285
PQfinish(conn);
280286
returnNULL;
281287
}
288+
289+
/*
290+
* Fix for CVE-2018-1058. This code was taken with small modification from
291+
* src/bin/pg_basebackup/streamutil.c:GetConnection()
292+
*/
293+
if (dbname!=NULL)
294+
{
295+
PGresult*res;
296+
297+
res=PQexec(conn,ALWAYS_SECURE_SEARCH_PATH_SQL);
298+
if (PQresultStatus(res)!=PGRES_TUPLES_OK)
299+
{
300+
elog(ERROR,"could not clear search_path: %s",
301+
PQerrorMessage(conn));
302+
PQclear(res);
303+
PQfinish(conn);
304+
returnNULL;
305+
}
306+
PQclear(res);
307+
}
308+
309+
returnconn;
282310
}
283311

284312
PGconn*

‎tests/CVE_2018_1058.py‎

Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,143 @@
1+
importos
2+
importunittest
3+
from .helpers.ptrack_helpersimportProbackupTest,ProbackupException
4+
5+
module_name='CVE-2018-1058'
6+
7+
classCVE_2018_1058(ProbackupTest,unittest.TestCase):
8+
9+
# @unittest.skip("skip")
10+
deftest_basic_default_search_path(self):
11+
""""""
12+
fname=self.id().split('.')[3]
13+
backup_dir=os.path.join(self.tmp_path,module_name,fname,'backup')
14+
node=self.make_simple_node(
15+
base_dir=os.path.join(module_name,fname,'node'),
16+
set_replication=True)
17+
18+
self.init_pb(backup_dir)
19+
self.add_instance(backup_dir,'node',node)
20+
node.slow_start()
21+
22+
node.safe_psql(
23+
'postgres',
24+
"CREATE FUNCTION public.pgpro_edition() "
25+
"RETURNS text "
26+
"AS $$ "
27+
"BEGIN "
28+
" RAISE 'pg_probackup vulnerable!'; "
29+
"END "
30+
"$$ LANGUAGE plpgsql")
31+
32+
self.backup_node(backup_dir,'node',node,backup_type='full',options=['--stream'])
33+
34+
# Clean after yourself
35+
self.del_test_dir(module_name,fname)
36+
37+
# @unittest.skip("skip")
38+
deftest_basic_backup_modified_search_path(self):
39+
""""""
40+
fname=self.id().split('.')[3]
41+
backup_dir=os.path.join(self.tmp_path,module_name,fname,'backup')
42+
node=self.make_simple_node(
43+
base_dir=os.path.join(module_name,fname,'node'),
44+
set_replication=True)
45+
self.set_auto_conf(node,options={'search_path':'public,pg_catalog'})
46+
47+
self.init_pb(backup_dir)
48+
self.add_instance(backup_dir,'node',node)
49+
node.slow_start()
50+
51+
node.safe_psql(
52+
'postgres',
53+
"CREATE FUNCTION public.pg_control_checkpoint(OUT timeline_id integer, OUT dummy integer) "
54+
"RETURNS record "
55+
"AS $$ "
56+
"BEGIN "
57+
" RAISE '% vulnerable!', 'pg_probackup'; "
58+
"END "
59+
"$$ LANGUAGE plpgsql")
60+
61+
node.safe_psql(
62+
'postgres',
63+
"CREATE FUNCTION public.pg_proc(OUT proname name, OUT dummy integer) "
64+
"RETURNS record "
65+
"AS $$ "
66+
"BEGIN "
67+
" RAISE '% vulnerable!', 'pg_probackup'; "
68+
"END "
69+
"$$ LANGUAGE plpgsql; "
70+
"CREATE VIEW public.pg_proc AS SELECT proname FROM public.pg_proc()")
71+
72+
self.backup_node(backup_dir,'node',node,backup_type='full',options=['--stream'])
73+
74+
log_file=os.path.join(node.logs_dir,'postgresql.log')
75+
withopen(log_file,'r')asf:
76+
log_content=f.read()
77+
self.assertFalse(
78+
'pg_probackup vulnerable!'inlog_content)
79+
80+
# Clean after yourself
81+
self.del_test_dir(module_name,fname)
82+
83+
# @unittest.skip("skip")
84+
deftest_basic_checkdb_modified_search_path(self):
85+
""""""
86+
fname=self.id().split('.')[3]
87+
node=self.make_simple_node(
88+
base_dir=os.path.join(module_name,fname,'node'),
89+
initdb_params=['--data-checksums'])
90+
self.set_auto_conf(node,options={'search_path':'public,pg_catalog'})
91+
node.slow_start()
92+
93+
node.safe_psql(
94+
'postgres',
95+
"CREATE FUNCTION public.pg_database(OUT datname name, OUT oid oid, OUT dattablespace oid) "
96+
"RETURNS record "
97+
"AS $$ "
98+
"BEGIN "
99+
" RAISE 'pg_probackup vulnerable!'; "
100+
"END "
101+
"$$ LANGUAGE plpgsql; "
102+
"CREATE VIEW public.pg_database AS SELECT * FROM public.pg_database()")
103+
104+
node.safe_psql(
105+
'postgres',
106+
"CREATE FUNCTION public.pg_extension(OUT extname name, OUT extnamespace oid, OUT extversion text) "
107+
"RETURNS record "
108+
"AS $$ "
109+
"BEGIN "
110+
" RAISE 'pg_probackup vulnerable!'; "
111+
"END "
112+
"$$ LANGUAGE plpgsql; "
113+
"CREATE FUNCTION public.pg_namespace(OUT oid oid, OUT nspname name) "
114+
"RETURNS record "
115+
"AS $$ "
116+
"BEGIN "
117+
" RAISE 'pg_probackup vulnerable!'; "
118+
"END "
119+
"$$ LANGUAGE plpgsql; "
120+
"CREATE VIEW public.pg_extension AS SELECT * FROM public.pg_extension();"
121+
"CREATE VIEW public.pg_namespace AS SELECT * FROM public.pg_namespace();"
122+
)
123+
124+
try:
125+
self.checkdb_node(
126+
options=[
127+
'--amcheck',
128+
'--skip-block-validation',
129+
'-d','postgres','-p',str(node.port)])
130+
self.assertEqual(
131+
1,0,
132+
"Expecting Error because amcheck{,_next} not installed\n"
133+
" Output: {0}\n CMD: {1}".format(
134+
repr(self.output),self.cmd))
135+
exceptProbackupExceptionase:
136+
self.assertIn(
137+
"WARNING: Extension 'amcheck' or 'amcheck_next' are not installed in database postgres",
138+
e.message,
139+
"\n Unexpected Error Message: {0}\n CMD: {1}".format(
140+
repr(e.message),self.cmd))
141+
142+
# Clean after yourself
143+
self.del_test_dir(module_name,fname)

‎tests/__init__.py‎

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,8 @@
66
retention,pgpro560,pgpro589,pgpro2068,false_positive,replica, \
77
compression,page,ptrack,archive,exclude,cfs_backup,cfs_restore, \
88
cfs_validate_backup,auth_test,time_stamp,snapfs,logging, \
9-
locking,remote,external,config,checkdb,set_backup,incr_restore
9+
locking,remote,external,config,checkdb,set_backup,incr_restore, \
10+
CVE_2018_1058
1011

1112

1213
defload_tests(loader,tests,pattern):
@@ -55,6 +56,7 @@ def load_tests(loader, tests, pattern):
5556
suite.addTests(loader.loadTestsFromModule(snapfs))
5657
suite.addTests(loader.loadTestsFromModule(time_stamp))
5758
suite.addTests(loader.loadTestsFromModule(validate))
59+
suite.addTests(loader.loadTestsFromModule(CVE_2018_1058))
5860

5961
returnsuite
6062

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp