Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitaafbd1d

Browse files
committed
Restore PGREQUIRESSL recognition in libpq.
Commit65c3bf1 moved handling of the,already then, deprecated requiressl parameter into conninfo_storeval().The default PGREQUIRESSL environment variable was however lost in thechange resulting in a potentially silent accept of a non-SSL connectioneven when set. Its documentation remained. Restore its implementation.Also amend the documentation to mark PGREQUIRESSL as deprecated forthose not following the link to requiressl. Back-patch to 9.3, wherecommit65c3bf1 first appeared.Behavior has been more complex when the user provides both deprecatedand non-deprecated settings. Before commit65c3bf1, libpq operatedaccording to the first of these found: requiressl=1 PGREQUIRESSL=1 sslmode=* PGSSLMODE=*(Note requiressl=0 didn't override sslmode=*; it would only suppressPGREQUIRESSL=1 or a previous requiressl=1. PGREQUIRESSL=0 had no effectwhatsoever.) Starting with commit65c3bf1, libpq ignored PGREQUIRESSL,and order of precedence changed to this: last of requiressl=* or sslmode=* PGSSLMODE=*Starting now, adopt the following order of precedence: last of requiressl=* or sslmode=* PGSSLMODE=* PGREQUIRESSL=1This retains the65c3bf1 behavior for connection strings that containboth requiressl=* and sslmode=*. It retains the65c3bf1 change thateither connection string option overrides both environment variables.For the first time, PGSSLMODE has precedence over PGREQUIRESSL; thisavoids reducing security of "PGREQUIRESSL=1 PGSSLMODE=verify-full"configurations originating under v9.3 and later.Daniel GustafssonSecurity:CVE-2017-7485
1 parent0294ac2 commitaafbd1d

File tree

2 files changed

+27
-0
lines changed

2 files changed

+27
-0
lines changed

‎doc/src/sgml/libpq.sgml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6944,6 +6944,9 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
69446944
</indexterm>
69456945
<envar>PGREQUIRESSL</envar> behaves the same as the <xref
69466946
linkend="libpq-connect-requiressl"> connection parameter.
6947+
This environment variable is deprecated in favor of the
6948+
<envar>PGSSLMODE</envar> variable; setting both variables suppresses the
6949+
effect of this one.
69476950
</para>
69486951
</listitem>
69496952

‎src/interfaces/libpq/fe-connect.c

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4635,6 +4635,30 @@ conninfo_add_defaults(PQconninfoOption *options, PQExpBuffer errorMessage)
46354635
}
46364636
}
46374637

4638+
/*
4639+
* Interpret the deprecated PGREQUIRESSL environment variable. Per
4640+
* tradition, translate values starting with "1" to sslmode=require,
4641+
* and ignore other values. Given both PGREQUIRESSL=1 and PGSSLMODE,
4642+
* PGSSLMODE takes precedence; the opposite was true before v9.3.
4643+
*/
4644+
if (strcmp(option->keyword,"sslmode")==0)
4645+
{
4646+
constchar*requiresslenv=getenv("PGREQUIRESSL");
4647+
4648+
if (requiresslenv!=NULL&&requiresslenv[0]=='1')
4649+
{
4650+
option->val=strdup("require");
4651+
if (!option->val)
4652+
{
4653+
if (errorMessage)
4654+
printfPQExpBuffer(errorMessage,
4655+
libpq_gettext("out of memory\n"));
4656+
return false;
4657+
}
4658+
continue;
4659+
}
4660+
}
4661+
46384662
/*
46394663
* No environment variable specified or the variable isn't set - try
46404664
* compiled-in default

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp