Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit638300f

Browse files
committed
Disallow execution of SPI functions during plperl function compilation.
Perl can be convinced to execute user-defined code during compilationof a plperl function (or at least a plperlu function). That's notsuch a big problem as long as the activity is confined within thePerl interpreter, and it's not clear we could do anything about thatanyway. However, if such code tries to use plperl's SPI functions,we have a bigger problem. In the first place, those functions arelikely to crash because current_call_data->prodesc isn't set up yet.In the second place, because it isn't set up, we lack critical infosuch as whether the function is supposed to be read-only. And inthe third place, this path allows code execution during functionvalidation, which is strongly discouraged because of the potentialfor security exploits. Hence, reject execution of the SPI functionsuntil compilation is finished.While here, add check_spi_usage_allowed() calls to various functionsthat hadn't gotten the memo about checking that. I think that perhapsplperl_sv_to_literal may have been intentionally omitted on the groundsthat it was safe at the time; but if so, the addition of transformsfunctionality changed that. The others are more recently added andseem to be flat-out oversights.Per report from Mark Murawski. Back-patch to all supported branches.Discussion:https://postgr.es/m/9acdf918-7fff-4f40-f750-2ffa84f083d2@intellasoft.net
1 parentcd83cb9 commit638300f

File tree

1 file changed

+31
-2
lines changed

1 file changed

+31
-2
lines changed

‎src/pl/plperl/plperl.c

Lines changed: 31 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,7 @@ static plperl_proc_desc *compile_plperl_function(Oid fn_oid,
264264

265265
staticSV*plperl_hash_from_tuple(HeapTupletuple,TupleDesctupdesc,boolinclude_generated);
266266
staticSV*plperl_hash_from_datum(Datumattr);
267+
staticvoidcheck_spi_usage_allowed(void);
267268
staticSV*plperl_ref_from_pg_array(Datumarg,Oidtypid);
268269
staticSV*split_array(plperl_array_info*info,intfirst,intlast,intnest);
269270
staticSV*make_array_ref(plperl_array_info*info,intfirst,intlast);
@@ -1429,13 +1430,15 @@ plperl_sv_to_datum(SV *sv, Oid typid, int32 typmod,
14291430
char*
14301431
plperl_sv_to_literal(SV*sv,char*fqtypename)
14311432
{
1432-
Datumstr=CStringGetDatum(fqtypename);
1433-
Oidtypid=DirectFunctionCall1(regtypein,str);
1433+
Oidtypid;
14341434
Oidtypoutput;
14351435
Datumdatum;
14361436
booltypisvarlena,
14371437
isnull;
14381438

1439+
check_spi_usage_allowed();
1440+
1441+
typid=DirectFunctionCall1(regtypein,CStringGetDatum(fqtypename));
14391442
if (!OidIsValid(typid))
14401443
ereport(ERROR,
14411444
(errcode(ERRCODE_UNDEFINED_OBJECT),
@@ -3097,6 +3100,21 @@ check_spi_usage_allowed(void)
30973100
/* simple croak as we don't want to involve PostgreSQL code */
30983101
croak("SPI functions can not be used in END blocks");
30993102
}
3103+
3104+
/*
3105+
* Disallow SPI usage if we're not executing a fully-compiled plperl
3106+
* function. It might seem impossible to get here in that case, but there
3107+
* are cases where Perl will try to execute code during compilation. If
3108+
* we proceed we are likely to crash trying to dereference the prodesc
3109+
* pointer. Working around that might be possible, but it seems unwise
3110+
* because it'd allow code execution to happen while validating a
3111+
* function, which is undesirable.
3112+
*/
3113+
if (current_call_data==NULL||current_call_data->prodesc==NULL)
3114+
{
3115+
/* simple croak as we don't want to involve PostgreSQL code */
3116+
croak("SPI functions can not be used during function compilation");
3117+
}
31003118
}
31013119

31023120

@@ -3217,6 +3235,8 @@ plperl_return_next(SV *sv)
32173235
{
32183236
MemoryContextoldcontext=CurrentMemoryContext;
32193237

3238+
check_spi_usage_allowed();
3239+
32203240
PG_TRY();
32213241
{
32223242
plperl_return_next_internal(sv);
@@ -3961,6 +3981,8 @@ plperl_spi_commit(void)
39613981
{
39623982
MemoryContextoldcontext=CurrentMemoryContext;
39633983

3984+
check_spi_usage_allowed();
3985+
39643986
PG_TRY();
39653987
{
39663988
SPI_commit();
@@ -3986,6 +4008,8 @@ plperl_spi_rollback(void)
39864008
{
39874009
MemoryContextoldcontext=CurrentMemoryContext;
39884010

4011+
check_spi_usage_allowed();
4012+
39894013
PG_TRY();
39904014
{
39914015
SPI_rollback();
@@ -4023,6 +4047,11 @@ plperl_util_elog(int level, SV *msg)
40234047
MemoryContextoldcontext=CurrentMemoryContext;
40244048
char*volatilecmsg=NULL;
40254049

4050+
/*
4051+
* We intentionally omit check_spi_usage_allowed() here, as this seems
4052+
* safe to allow even in the contexts that that function rejects.
4053+
*/
4054+
40264055
PG_TRY();
40274056
{
40284057
cmsg=sv2cstr(msg);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp