Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit1f474d2

Browse files
committed
Abandon the use of Perl's Safe.pm to enforce restrictions in plperl, as it is
fundamentally insecure. Instead apply an opmask to the whole interpreter thatimposes restrictions on unsafe operations. These restrictions are much harderto subvert than is Safe.pm, since there is no container to be broken out of.Backported to release 7.4.In releases 7.4, 8.0 and 8.1 this also includes the necessary backporting ofthe two interpreters model for plperl and plperlu adopted in release 8.2.In versions 8.0 and up, the use of Perl's POSIX module to undo its localemangling on Windows has become insecure with these changes, so it isreplaced by our own routine, which is also faster.Nice side effects of the changes include that it is now possible to use perl's"strict" pragma in a natural way in plperl, and that perl's $a and$b variables now work as expected in sort routines, and that functioncompilation is significantly faster.Tim Bunce and Andrew Dunstan, with reviews from Alex Hunsaker andAlexey Klyukin.Security:CVE-2010-1169
1 parent2b61b3e commit1f474d2

File tree

14 files changed

+400
-266
lines changed

14 files changed

+400
-266
lines changed

‎doc/src/sgml/plperl.sgml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/plperl.sgml,v 2.83 2010/04/03 07:22:55 petere Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/plperl.sgml,v 2.84 2010/05/13 16:39:43 adunstan Exp $ -->
22

33
<chapter id="plperl">
44
<title>PL/Perl - Perl Procedural Language</title>
@@ -1154,8 +1154,16 @@ CREATE TRIGGER test_valid_id_trig
11541154
into a module and loaded by the <literal>on_init</> string.
11551155
Examples:
11561156
<programlisting>
1157-
plperl.on_init = '$ENV{NYTPROF}="start=no";requireDevel::NYTProf::PgPLPerl'
1157+
plperl.on_init = 'require"plperlinit.pl"'
11581158
plperl.on_init = 'use lib "/my/app"; use MyApp::PgInit;'
1159+
</programlisting>
1160+
</para>
1161+
<para>
1162+
Any modules loaded by <literal>plperl.on_init</>, either directly or
1163+
indirectly, will be available for use by <literal>plperl</>. This may
1164+
create a security risk. To see what modules have been loaded you can use:
1165+
<programlisting>
1166+
DO 'elog(WARNING, join ", ", sort keys %INC)' language plperl;
11591167
</programlisting>
11601168
</para>
11611169
<para>

‎src/pl/plperl/GNUmakefile

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# Makefile for PL/Perl
2-
# $PostgreSQL: pgsql/src/pl/plperl/GNUmakefile,v 1.43 2010/02/12 19:35:25 adunstan Exp $
2+
# $PostgreSQL: pgsql/src/pl/plperl/GNUmakefile,v 1.44 2010/05/13 16:39:43 adunstan Exp $
33

44
subdir = src/pl/plperl
55
top_builddir = ../../..
@@ -36,7 +36,7 @@ NAME = plperl
3636

3737
OBJS = plperl.o SPI.o Util.o
3838

39-
PERLCHUNKS = plc_perlboot.plplc_safe_bad.pl plc_safe_ok.pl
39+
PERLCHUNKS = plc_perlboot.plplc_trusted.pl
4040

4141
SHLIB_LINK =$(perl_embed_ldflags)
4242

@@ -54,9 +54,12 @@ PSQLDIR = $(bindir)
5454

5555
include$(top_srcdir)/src/Makefile.shlib
5656

57-
plperl.o: perlchunks.h
57+
plperl.o: perlchunks.h plperl_opmask.h
5858

59-
perlchunks.h:$(PERLCHUNKS)
59+
plperl_opmask.h: plperl_opmask.pl
60+
$(PERL)$<$@
61+
62+
perlchunks.h:$(PERLCHUNKS)
6063
$(PERL)$(srcdir)/text2macro.pl --strip='^(\#.*|\s*)$$'$^>$@
6164

6265
all: all-lib
@@ -81,7 +84,7 @@ submake:
8184
$(MAKE) -C$(top_builddir)/src/test/regress pg_regress$(X)
8285

8386
cleandistcleanmaintainer-clean: clean-lib
84-
rm -f SPI.c Util.c$(OBJS) perlchunks.h
87+
rm -f SPI.c Util.c$(OBJS) perlchunks.h plperl_opmask.h
8588
rm -rf results
8689
rm -f regression.diffs regression.out
8790

‎src/pl/plperl/expected/plperl.out

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -563,8 +563,23 @@ $$ LANGUAGE plperl;
563563
NOTICE: This is a test
564564
CONTEXT: PL/Perl anonymous code block
565565
-- check that restricted operations are rejected in a plperl DO block
566-
DO $$ eval "1+1"; $$ LANGUAGE plperl;
567-
ERROR: 'eval "string"' trapped by operation mask at line 1.
566+
DO $$ system("/nonesuch"); $$ LANGUAGE plperl;
567+
ERROR: 'system' trapped by operation mask at line 1.
568+
CONTEXT: PL/Perl anonymous code block
569+
DO $$ qx("/nonesuch"); $$ LANGUAGE plperl;
570+
ERROR: 'quoted execution (``, qx)' trapped by operation mask at line 1.
571+
CONTEXT: PL/Perl anonymous code block
572+
DO $$ open my $fh, "</nonesuch"; $$ LANGUAGE plperl;
573+
ERROR: 'open' trapped by operation mask at line 1.
574+
CONTEXT: PL/Perl anonymous code block
575+
-- check that eval is allowed and eval'd restricted ops are caught
576+
DO $$ eval q{chdir '.'}; warn "Caught: $@"; $$ LANGUAGE plperl;
577+
WARNING: Caught: 'chdir' trapped by operation mask at line 2.
578+
CONTEXT: PL/Perl anonymous code block
579+
-- check that compiling do (dofile opcode) is allowed
580+
-- but that executing it for a file not already loaded (via require) dies
581+
DO $$ warn do "/dev/null"; $$ LANGUAGE plperl;
582+
ERROR: Unable to load /dev/null into plperl at line 1.
568583
CONTEXT: PL/Perl anonymous code block
569584
-- check that we can't "use" a module that's not been loaded already
570585
-- compile-time error: "Unable to load blib.pm into plperl"
Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
-- test plperl.on_plperl_init errors are fatal
22
-- Avoid need for custom_variable_classes = 'plperl'
33
LOAD 'plperl';
4-
SET SESSION plperl.on_plperl_init = 'eval "1+1" ';
4+
SET SESSION plperl.on_plperl_init = 'system("/nonesuch") ';
55
SHOW plperl.on_plperl_init;
66
plperl.on_plperl_init
77
-----------------------
8-
eval "1+1"
8+
system("/nonesuch")
99
(1 row)
1010

1111
DO $$ warn 42 $$ language plperl;
12-
ERROR: 'eval "string"' trapped by operation mask at line 2.
13-
CONTEXT:while executing plperl.on_plperl_init
12+
ERROR: 'system' trapped by operation mask at line 2.
13+
CONTEXT:While executing plperl.on_plperl_init.
1414
PL/Perl anonymous code block

‎src/pl/plperl/expected/plperl_plperlu.out

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,3 +63,31 @@ select bar('hey');
6363
hey
6464
(1 row)
6565

66+
--
67+
-- Make sure we can't use/require things in plperl
68+
--
69+
CREATE OR REPLACE FUNCTION use_plperlu() RETURNS void LANGUAGE plperlu
70+
AS $$
71+
use Errno;
72+
$$;
73+
CREATE OR REPLACE FUNCTION use_plperl() RETURNS void LANGUAGE plperl
74+
AS $$
75+
use Errno;
76+
$$;
77+
ERROR: Unable to load Errno.pm into plperl at line 2.
78+
BEGIN failed--compilation aborted at line 2.
79+
CONTEXT: compilation of PL/Perl function "use_plperl"
80+
-- make sure our overloaded require op gets restored/set correctly
81+
select use_plperlu();
82+
use_plperlu
83+
-------------
84+
85+
(1 row)
86+
87+
CREATE OR REPLACE FUNCTION use_plperl() RETURNS void LANGUAGE plperl
88+
AS $$
89+
use Errno;
90+
$$;
91+
ERROR: Unable to load Errno.pm into plperl at line 2.
92+
BEGIN failed--compilation aborted at line 2.
93+
CONTEXT: compilation of PL/Perl function "use_plperl"

‎src/pl/plperl/plc_perlboot.pl

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11

2-
# $PostgreSQL: pgsql/src/pl/plperl/plc_perlboot.pl,v 1.5 2010/02/16 21:39:52 adunstan Exp $
2+
# $PostgreSQL: pgsql/src/pl/plperl/plc_perlboot.pl,v 1.6 2010/05/13 16:39:43 adunstan Exp $
33

44
use 5.008001;
55

@@ -33,15 +33,12 @@ sub mkfuncsrc {
3333
}sortkeys%$imports;
3434
$BEGIN &&="BEGIN {$BEGIN }";
3535

36-
$name =~s/\\/\\\\/g;
37-
$name =~s/::|'/_/g;# avoid package delimiters
38-
39-
returnqq[ package main; undef *{'$name'}; *{'$name'} = sub {$BEGIN$prolog$src }];
36+
returnqq[ package main; sub {$BEGIN$prolog$src }];
4037
}
4138

42-
# see also mksafefunc() in plc_safe_ok.pl
43-
submkunsafefunc {
44-
nostrict;# default to nostrict for the eval
39+
submkfunc {
40+
no strict;# default to no strict for the eval
41+
nowarnings;# default to nowarnings for the eval
4542
my$ret =eval(mkfuncsrc(@_));
4643
$@ =~s/\(eval\d+\)//gif$@;
4744
return$ret;

‎src/pl/plperl/plc_safe_bad.pl

Lines changed: 0 additions & 16 deletions
This file was deleted.

‎src/pl/plperl/plc_safe_ok.pl

Lines changed: 0 additions & 95 deletions
This file was deleted.

‎src/pl/plperl/plc_trusted.pl

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
2+
3+
# $PostgreSQL: pgsql/src/pl/plperl/plc_trusted.pl,v 1.1 2010/05/13 16:39:43 adunstan Exp $
4+
5+
packagePostgreSQL::InServer::safe;
6+
7+
# Load widely useful pragmas into plperl to make them available.
8+
#
9+
# SECURITY RISKS:
10+
#
11+
# Since these modules are free to compile unsafe opcodes they must
12+
# be trusted to now allow any code containing unsafe opcodes to be abused.
13+
# That's much harder than it sounds.
14+
#
15+
# Be aware that perl provides a wide variety of ways to subvert
16+
# pre-compiled code. For some examples, see this presentation:
17+
# http://www.slideshare.net/cdman83/barely-legal-xxx-perl-presentation
18+
#
19+
# If in ANY doubt about a module, or ANY of the modules down the chain of
20+
# dependencies it loads, then DO NOT add it to this list.
21+
#
22+
# To check if any of these modules use "unsafe" opcodes you can compile
23+
# plperl with the PLPERL_ENABLE_OPMASK_EARLY macro defined. See plperl.c
24+
25+
require strict;
26+
require Carp;
27+
require Carp::Heavy;
28+
require warnings;
29+
require featureif$] >= 5.010000;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp