NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit3855e5b

committed

Ignore attempts to \gset into specially treated variables.

If an interactive psql session used \gset when querying a compromisedserver, the attacker could execute arbitrary code as the operatingsystem account running psql. Using a prefix not found among speciallytreated variables, e.g. every lowercase string, precluded the attack.Fix by issuing a warning and setting no variable for the column inquestion. Users wanting the old behavior can use a prefix and then ameta-command like "\set HISTSIZE :prefix_HISTSIZE". Back-patch to 9.5(all supported versions).Reviewed by Robert Haas. Reported by Nick Cleaton.Security:CVE-2020-25696

1 parentac8f624 commit3855e5bCopy full SHA for 3855e5b

File tree

5 files changed

+41

-0

lines changed

src
- bin/psql
- test/regress
  - expected
    - psql.out
  - sql
    - psql.sql

5 files changed

+41

-0

lines changed

`‎src/bin/psql/common.c‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -921,6 +921,13 @@ StoreQueryTuple(const PGresult *result)`
`921`	`921`	`/* concatenate prefix and column name */`
`922`	`922`	`varname=psprintf("%s%s",pset.gset_prefix,colname);`
`923`	`923`
	`924`	`+if (VariableHasHook(pset.vars,varname))`
	`925`	`+{`
	`926`	`+pg_log_warning("attempt to \\gset into specially treated variable \"%s\" ignored",`
	`927`	`+varname);`
	`928`	`+continue;`
	`929`	`+}`
	`930`	`+`
`924`	`931`	`if (!PQgetisnull(result,0,i))`
`925`	`932`	`value=PQgetvalue(result,0,i);`
`926`	`933`	`else`

`‎src/bin/psql/variables.c‎`

Lines changed: 26 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -362,6 +362,32 @@ SetVariableHooks(VariableSpace space, const char *name,`
`362`	`362`	`(void) (*ahook) (current->value);`
`363`	`363`	`}`
`364`	`364`
	`365`	`+/*`
	`366`	`+ * Return true iff the named variable has substitute and/or assign hook`
	`367`	`+ * functions.`
	`368`	`+ */`
	`369`	`+bool`
	`370`	`+VariableHasHook(VariableSpacespace,constchar*name)`
	`371`	`+{`
	`372`	`+struct_variable*current;`
	`373`	`+`
	`374`	`+Assert(space);`
	`375`	`+Assert(name);`
	`376`	`+`
	`377`	`+for (current=space->next;current;current=current->next)`
	`378`	`+{`
	`379`	`+intcmp=strcmp(current->name,name);`
	`380`	`+`
	`381`	`+if (cmp==0)`
	`382`	`+return (current->substitute_hook!=NULL\|\|`
	`383`	`+current->assign_hook!=NULL);`
	`384`	`+if (cmp>0)`
	`385`	`+break;/* it's not there */`
	`386`	`+}`
	`387`	`+`
	`388`	`+return false;`
	`389`	`+}`
	`390`	`+`
`365`	`391`	`/*`
`366`	`392`	`* Convenience function to set a variable's value to "on".`
`367`	`393`	`*/`

`‎src/bin/psql/variables.h‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,7 @@ boolDeleteVariable(VariableSpace space, const char *name);`
`90`	`90`	`voidSetVariableHooks(VariableSpacespace,constchar*name,`
`91`	`91`	`VariableSubstituteHookshook,`
`92`	`92`	`VariableAssignHookahook);`
	`93`	`+boolVariableHasHook(VariableSpacespace,constchar*name);`
`93`	`94`
`94`	`95`	`voidPsqlVarEnumError(constcharname,constcharvalue,constchar*suggestions);`
`95`	`96`

`‎src/test/regress/expected/psql.out‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,10 @@ select 10 as test01, 20 as test02, 'Hello' as test03 \gset pref01_`
`84`	`84`	`select 10 as "bad name"`
`85`	`85`	`\gset`
`86`	`86`	`invalid variable name: "bad name"`
	`87`	`+select 97 as "EOF", 'ok' as _foo \gset IGNORE`
	`88`	`+attempt to \gset into specially treated variable "IGNOREEOF" ignored`
	`89`	`+\echo :IGNORE_foo :IGNOREEOF`
	`90`	`+ok 0`
`87`	`91`	`-- multiple backslash commands in one line`
`88`	`92`	`select 1 as x, 2 as y \gset pref01_ \\ \echo :pref01_x`
`89`	`93`	`1`

`‎src/test/regress/sql/psql.sql‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,9 @@ select 10 as test01, 20 as test02, 'Hello' as test03 \gset pref01_`
`48`	`48`	`select10as"bad name"`
`49`	`49`	`\gset`
`50`	`50`
	`51`	`+select97as"EOF",'ok'as _foo \gset IGNORE`
	`52`	`+\echo :IGNORE_foo :IGNOREEOF`
	`53`	`+`
`51`	`54`	`-- multiple backslash commands in one line`
`52`	`55`	`select1as x,2as y \gset pref01_ \\ \echo :pref01_x`
`53`	`56`	`select3as x,4as y \gset pref01_ \echo :pref01_x \echo :pref01_y`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3855e5b

File tree

5 files changed

5 files changed

`‎src/bin/psql/common.c‎`

`‎src/bin/psql/variables.c‎`

`‎src/bin/psql/variables.h‎`

`‎src/test/regress/expected/psql.out‎`

`‎src/test/regress/sql/psql.sql‎`

0 commit comments