NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitdd5d995

committed

Empty search_path in logical replication apply worker and walsender.

This is likeCVE-2018-1058 commit582edc3. Today, a malicious user of apublisher or subscriber database can invoke arbitrary SQL functionsunder an identity running replication, often a superuser. This fix maycause "does not exist" or "no schema has been selected to create in"errors in a replication process. After upgrading, consider watchingserver logs for these errors. Objects accruing schema qualification inthe wake of the earlier commit are unlikely to need further correction.Back-patch to v10, which introduced logical replication.Security:CVE-2020-14349

1 parent670050d commitdd5d995Copy full SHA for dd5d995

File tree

3 files changed

+27

-0

lines changed

src
- backend/replication
  - libpqwalreceiver
    - libpqwalreceiver.c
  - logical
    - worker.c
- test/subscription/t
  - 001_rep_changes.pl

3 files changed

+27

-0

lines changed

`‎src/backend/replication/libpqwalreceiver/libpqwalreceiver.c‎`

Lines changed: 17 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@`
`23`	`23`	`#include"pqexpbuffer.h"`
`24`	`24`	`#include"access/xlog.h"`
`25`	`25`	`#include"catalog/pg_type.h"`
	`26`	`+#include"common/connect.h"`
`26`	`27`	`#include"funcapi.h"`
`27`	`28`	`#include"mb/pg_wchar.h"`
`28`	`29`	`#include"miscadmin.h"`
`@@ -211,6 +212,22 @@ libpqrcv_connect(const char conninfo, bool logical, const char appname,`
`211`	`212`	`returnNULL;`
`212`	`213`	`}`
`213`	`214`
	`215`	`+if (logical)`
	`216`	`+{`
	`217`	`+PGresult*res;`
	`218`	`+`
	`219`	`+res=libpqrcv_PQexec(conn->streamConn,`
	`220`	`+ALWAYS_SECURE_SEARCH_PATH_SQL);`
	`221`	`+if (PQresultStatus(res)!=PGRES_TUPLES_OK)`
	`222`	`+{`
	`223`	`+PQclear(res);`
	`224`	`+ereport(ERROR,`
	`225`	`+(errmsg("could not clear search path: %s",`
	`226`	`+pchomp(PQerrorMessage(conn->streamConn)))));`
	`227`	`+}`
	`228`	`+PQclear(res);`
	`229`	`+}`
	`230`	`+`
`214`	`231`	`conn->logical=logical;`
`215`	`232`
`216`	`233`	`returnconn;`

`‎src/backend/replication/logical/worker.c‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1590,6 +1590,12 @@ ApplyWorkerMain(Datum main_arg)`
`1590`	`1590`	`BackgroundWorkerInitializeConnectionByOid(MyLogicalRepWorker->dbid,`
`1591`	`1591`	`MyLogicalRepWorker->userid);`
`1592`	`1592`
	`1593`	`+/*`
	`1594`	`+ * Set always-secure search path, so malicious users can't redirect user`
	`1595`	`+ * code (e.g. pg_index.indexprs).`
	`1596`	`+ */`
	`1597`	`+SetConfigOption("search_path","",PGC_SUSET,PGC_S_OVERRIDE);`
	`1598`	`+`
`1593`	`1599`	`/* Load the subscription into persistent memory context. */`
`1594`	`1600`	`ApplyContext=AllocSetContextCreate(TopMemoryContext,`
`1595`	`1601`	`"ApplyContext",`

`‎src/test/subscription/t/001_rep_changes.pl‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,10 @@`
`16`	`16`	`$node_subscriber->start;`
`17`	`17`
`18`	`18`	`# Create some preexisting content on publisher`
	`19`	`+$node_publisher->safe_psql(`
	`20`	`+'postgres',`
	`21`	`+"CREATE FUNCTION public.pg_get_replica_identity_index(int)`
	`22`	`+ RETURNS regclass LANGUAGE sql AS 'SELECT 1/0'");# shall not call`
`19`	`23`	`$node_publisher->safe_psql('postgres',`
`20`	`24`	`"CREATE TABLE tab_notrep AS SELECT generate_series(1,10) AS a");`
`21`	`25`	`$node_publisher->safe_psql('postgres',`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitdd5d995

File tree

3 files changed

3 files changed

`‎src/backend/replication/libpqwalreceiver/libpqwalreceiver.c‎`

`‎src/backend/replication/logical/worker.c‎`

`‎src/test/subscription/t/001_rep_changes.pl‎`

0 commit comments