Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit226a980

Browse files
committed
Fix bug that allowed any logged-in user to SET ROLE to any other database user
id (CVE-2006-0553). Also fix related bug in SET SESSION AUTHORIZATION thatallows unprivileged users to crash the server, if it has been compiled withAsserts enabled. The escalation-of-privilege risk exists only in 8.1.0-8.1.2.However, the Assert-crash risk exists in all releases back to 7.3.Thanks to Akio Ishida for reporting this problem.
1 parent2a5180c commit226a980

File tree

4 files changed

+22
-11
lines changed

4 files changed

+22
-11
lines changed

‎src/backend/commands/variable.c‎

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
*
1010
*
1111
* IDENTIFICATION
12-
* $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.115 2005/11/22 18:17:10 momjian Exp $
12+
* $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.116 2006/02/12 22:32:42 tgl Exp $
1313
*
1414
*-------------------------------------------------------------------------
1515
*/
@@ -586,7 +586,9 @@ assign_client_encoding(const char *value, bool doit, GucSource source)
586586
* by the numeric oid, followed by a comma, followed by the role name.
587587
* This cannot be confused with a plain role name because of the NAMEDATALEN
588588
* limit on names, so we can tell whether we're being passed an initial
589-
* role name or a saved/restored value.
589+
* role name or a saved/restored value. (NOTE: we rely on guc.c to have
590+
* properly truncated any incoming value, but not to truncate already-stored
591+
* values. See GUC_IS_NAME processing.)
590592
*/
591593
externchar*session_authorization_string;/* in guc.c */
592594

‎src/backend/utils/mb/encnames.c‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
* Encoding names and routines for work with it. All
33
* in this file is shared bedween FE and BE.
44
*
5-
* $PostgreSQL: pgsql/src/backend/utils/mb/encnames.c,v 1.27 2006/01/11 08:43:12 neilc Exp $
5+
* $PostgreSQL: pgsql/src/backend/utils/mb/encnames.c,v 1.28 2006/02/12 22:32:42 tgl Exp $
66
*/
77
#ifdefFRONTEND
88
#include"postgres_fe.h"
@@ -449,7 +449,7 @@ pg_char_to_encname_struct(const char *name)
449449
if (name==NULL||*name=='\0')
450450
returnNULL;
451451

452-
if (strlen(name)>NAMEDATALEN)
452+
if (strlen(name) >=NAMEDATALEN)
453453
{
454454
#ifdefFRONTEND
455455
fprintf(stderr,"encoding name too long\n");

‎src/backend/utils/misc/guc.c‎

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
* Written by Peter Eisentraut <peter_e@gmx.net>.
1111
*
1212
* IDENTIFICATION
13-
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.310 2006/02/04 12:50:47 petere Exp $
13+
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.311 2006/02/12 22:32:42 tgl Exp $
1414
*
1515
*--------------------------------------------------------------------
1616
*/
@@ -48,6 +48,7 @@
4848
#include"optimizer/planmain.h"
4949
#include"parser/parse_expr.h"
5050
#include"parser/parse_relation.h"
51+
#include"parser/scansup.h"
5152
#include"postmaster/autovacuum.h"
5253
#include"postmaster/bgwriter.h"
5354
#include"postmaster/syslogger.h"
@@ -1707,7 +1708,7 @@ static struct config_string ConfigureNamesString[] =
17071708
{"client_encoding",PGC_USERSET,CLIENT_CONN_LOCALE,
17081709
gettext_noop("Sets the client's character set encoding."),
17091710
NULL,
1710-
GUC_REPORT
1711+
GUC_IS_NAME |GUC_REPORT
17111712
},
17121713
&client_encoding_string,
17131714
"SQL_ASCII",assign_client_encoding,NULL
@@ -1787,7 +1788,8 @@ static struct config_string ConfigureNamesString[] =
17871788
{
17881789
{"default_tablespace",PGC_USERSET,CLIENT_CONN_STATEMENT,
17891790
gettext_noop("Sets the default tablespace to create tables and indexes in."),
1790-
gettext_noop("An empty string selects the database's default tablespace.")
1791+
gettext_noop("An empty string selects the database's default tablespace."),
1792+
GUC_IS_NAME
17911793
},
17921794
&default_tablespace,
17931795
"",assign_default_tablespace,NULL
@@ -1945,7 +1947,7 @@ static struct config_string ConfigureNamesString[] =
19451947
{"server_encoding",PGC_INTERNAL,CLIENT_CONN_LOCALE,
19461948
gettext_noop("Sets the server (database) character set encoding."),
19471949
NULL,
1948-
GUC_REPORT |GUC_NOT_IN_SAMPLE |GUC_DISALLOW_IN_FILE
1950+
GUC_IS_NAME |GUC_REPORT |GUC_NOT_IN_SAMPLE |GUC_DISALLOW_IN_FILE
19491951
},
19501952
&server_encoding_string,
19511953
"SQL_ASCII",NULL,NULL
@@ -1967,7 +1969,7 @@ static struct config_string ConfigureNamesString[] =
19671969
{"role",PGC_USERSET,UNGROUPED,
19681970
gettext_noop("Sets the current role."),
19691971
NULL,
1970-
GUC_NO_SHOW_ALL |GUC_NO_RESET_ALL |GUC_NOT_IN_SAMPLE |GUC_DISALLOW_IN_FILE
1972+
GUC_IS_NAME |GUC_NO_SHOW_ALL |GUC_NO_RESET_ALL |GUC_NOT_IN_SAMPLE |GUC_DISALLOW_IN_FILE
19711973
},
19721974
&role_string,
19731975
"none",assign_role,show_role
@@ -1978,7 +1980,7 @@ static struct config_string ConfigureNamesString[] =
19781980
{"session_authorization",PGC_USERSET,UNGROUPED,
19791981
gettext_noop("Sets the session user name."),
19801982
NULL,
1981-
GUC_REPORT |GUC_NO_SHOW_ALL |GUC_NO_RESET_ALL |GUC_NOT_IN_SAMPLE |GUC_DISALLOW_IN_FILE
1983+
GUC_IS_NAME |GUC_REPORT |GUC_NO_SHOW_ALL |GUC_NO_RESET_ALL |GUC_NOT_IN_SAMPLE |GUC_DISALLOW_IN_FILE
19821984
},
19831985
&session_authorization_string,
19841986
NULL,assign_session_authorization,show_session_authorization
@@ -3988,6 +3990,12 @@ set_config_option(const char *name, const char *value,
39883990
newval=guc_strdup(elevel,value);
39893991
if (newval==NULL)
39903992
return false;
3993+
/*
3994+
* The only sort of "parsing" check we need to do is
3995+
* apply truncation if GUC_IS_NAME.
3996+
*/
3997+
if (conf->gen.flags&GUC_IS_NAME)
3998+
truncate_identifier(newval,strlen(newval), true);
39913999
}
39924000
elseif (conf->reset_val)
39934001
{

‎src/include/utils/guc_tables.h‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
99
*
10-
* $PostgreSQL: pgsql/src/include/utils/guc_tables.h,v 1.20 2005/07/14 05:13:44 tgl Exp $
10+
* $PostgreSQL: pgsql/src/include/utils/guc_tables.h,v 1.21 2006/02/12 22:32:43 tgl Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -126,6 +126,7 @@ struct config_generic
126126
#defineGUC_DISALLOW_IN_FILE0x0040/* can't set in postgresql.conf */
127127
#defineGUC_CUSTOM_PLACEHOLDER0x0080/* placeholder for custom variable */
128128
#defineGUC_SUPERUSER_ONLY0x0100/* show only to superusers */
129+
#defineGUC_IS_NAME0x0200/* limit string to NAMEDATALEN-1 */
129130

130131
/* bit values in status field */
131132
#defineGUC_HAVE_TENTATIVE0x0001/* tentative value is defined */

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp