NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitddf1772

committed

Fix insecure parsing of server command-line switches.

An oversight in commite710b65 alloweddatabase names beginning with "-" to be treated as though they were securecommand-line switches; and this switch processing occurs before clientauthentication, so that even an unprivileged remote attacker could exploitthe bug, needing only connectivity to the postmaster's port. Assortedexploits for this are possible, some requiring a valid database login,some not. The worst known problem is that the "-r" switch can be invokedto redirect the process's stderr output, so that subsequent error messageswill be appended to any file the server can write. This can for example beused to corrupt the server's configuration files, so that it will fail whennext restarted. Complete destruction of database tables is also possible.Fix by keeping the database name extracted from a startup packet fullyseparate from command-line switches, as had already been done with theuser name field.The Postgres project thanks Mitsumasa Kondo for discovering this bug,Kyotaro Horiguchi for drafting the fix, and Noah Misch for recognizingthe full extent of the danger.Security:CVE-2013-1899

1 parentb403f41 commitddf1772Copy full SHA for ddf1772

File tree

5 files changed

+31

-34

lines changed

src
- backend
  - main
    - main.c
  - postmaster
    - postmaster.c
  - tcop
    - postgres.c
  - utils/init
    - postinit.c
- include/tcop
  - tcopprot.h

5 files changed

+31

-34

lines changed

`‎src/backend/main/main.c`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ main(int argc, char *argv[])`
`194`	`194`	`exit(GucInfoMain());`
`195`	`195`
`196`	`196`	`if (argc>1&&strcmp(argv[1],"--single")==0)`
`197`		`-exit(PostgresMain(argc,argv,get_current_username(progname)));`
	`197`	`+exit(PostgresMain(argc,argv,NULL,get_current_username(progname)));`
`198`	`198`
`199`	`199`	`exit(PostmasterMain(argc,argv));`
`200`	`200`	`}`

`‎src/backend/postmaster/postmaster.c`

Lines changed: 2 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -3571,7 +3571,7 @@ BackendRun(Port *port)`
`3571`	`3571`	`* from ExtraOptions is (strlen(ExtraOptions) + 1) / 2; see`
`3572`	`3572`	`* pg_split_opts().`
`3573`	`3573`	`*/`
`3574`		`-maxac=5;/* for fixed args supplied below */`
	`3574`	`+maxac=2;/* for fixed args supplied below */`
`3575`	`3575`	`maxac+= (strlen(ExtraOptions)+1) /2;`
`3576`	`3576`
`3577`	`3577`	`av= (char**)MemoryContextAlloc(TopMemoryContext,`
`@@ -3587,11 +3587,6 @@ BackendRun(Port *port)`
`3587`	`3587`	`*/`
`3588`	`3588`	`pg_split_opts(av,&ac,ExtraOptions);`
`3589`	`3589`
`3590`		`-/*`
`3591`		`- * Tell the backend which database to use.`
`3592`		`- */`
`3593`		`-av[ac++]=port->database_name;`
`3594`		`-`
`3595`	`3590`	`av[ac]=NULL;`
`3596`	`3591`
`3597`	`3592`	`Assert(ac<maxac);`
`@@ -3614,7 +3609,7 @@ BackendRun(Port *port)`
`3614`	`3609`	`*/`
`3615`	`3610`	`MemoryContextSwitchTo(TopMemoryContext);`
`3616`	`3611`
`3617`		`-return(PostgresMain(ac,av,port->user_name));`
	`3612`	`+returnPostgresMain(ac,av,port->database_name,port->user_name);`
`3618`	`3613`	`}`
`3619`	`3614`
`3620`	`3615`

`‎src/backend/tcop/postgres.c`

Lines changed: 23 additions & 22 deletions

Original file line number	Diff line number	Diff line change
`@@ -3256,13 +3256,14 @@ get_stats_option_name(const char *arg)`
`3256`	`3256`	`* coming from the client, or PGC_SUSET for insecure options coming from`
`3257`	`3257`	`* a superuser client.`
`3258`	`3258`	`*`
`3259`		`- * Returns the database name extracted from the command line, if any.`
	`3259`	`+ * If a database name is present in the command line arguments, it's`
	`3260`	`+ * returned into dbname (this is allowed only if dbname is initially NULL).`
`3260`	`3261`	`* ----------------------------------------------------------------`
`3261`	`3262`	`*/`
`3262`		`-constchar*`
`3263`		`-process_postgres_switches(intargc,char*argv[],GucContextctx)`
	`3263`	`+void`
	`3264`	`+process_postgres_switches(intargc,char*argv[],GucContextctx,`
	`3265`	`+constchar**dbname)`
`3264`	`3266`	`{`
`3265`		`-constchar*dbname;`
`3266`	`3267`	`boolsecure= (ctx==PGC_POSTMASTER);`
`3267`	`3268`	`interrs=0;`
`3268`	`3269`	`GucSourcegucsource;`
`@@ -3303,7 +3304,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)`
`3303`	`3304`
`3304`	`3305`	`case'b':`
`3305`	`3306`	`/* Undocumented flag used for binary upgrades */`
`3306`		`-IsBinaryUpgrade= true;`
	`3307`	`+if (secure)`
	`3308`	`+IsBinaryUpgrade= true;`
`3307`	`3309`	`break;`
`3308`	`3310`
`3309`	`3311`	`case'D':`
`@@ -3316,7 +3318,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)`
`3316`	`3318`	`break;`
`3317`	`3319`
`3318`	`3320`	`case'E':`
`3319`		`-EchoQuery= true;`
	`3321`	`+if (secure)`
	`3322`	`+EchoQuery= true;`
`3320`	`3323`	`break;`
`3321`	`3324`
`3322`	`3325`	`case'e':`
`@@ -3341,7 +3344,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)`
`3341`	`3344`	`break;`
`3342`	`3345`
`3343`	`3346`	`case'j':`
`3344`		`-UseNewLine=0;`
	`3347`	`+if (secure)`
	`3348`	`+UseNewLine=0;`
`3345`	`3349`	`break;`
`3346`	`3350`
`3347`	`3351`	`case'k':`
`@@ -3456,10 +3460,12 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)`
`3456`	`3460`	`}`
`3457`	`3461`
`3458`	`3462`	`/*`
`3459`		`- * Should be no more arguments except an optional database name, and`
`3460`		`- * that's only in the secure case.`
	`3463`	`+ * Optional database name should be there only if *dbname is NULL.`
`3461`	`3464`	`*/`
`3462`		`-if (errs\|\|argc-optind>1\|\| (argc!=optind&& !secure))`
	`3465`	`+if (!errs&&dbname&&*dbname==NULL&&argc-optind >=1)`
	`3466`	`+*dbname=strdup(argv[optind++]);`
	`3467`	`+`
	`3468`	`+if (errs\|\|argc!=optind)`
`3463`	`3469`	`{`
`3464`	`3470`	`/* spell the error message a bit differently depending on context */`
`3465`	`3471`	`if (IsUnderPostmaster)`
`@@ -3475,11 +3481,6 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)`
`3475`	`3481`	`errhint("Try \"%s --help\" for more information.",progname)));`
`3476`	`3482`	`}`
`3477`	`3483`
`3478`		`-if (argc-optind==1)`
`3479`		`-dbname=strdup(argv[optind]);`
`3480`		`-else`
`3481`		`-dbname=NULL;`
`3482`		`-`
`3483`	`3484`	`/*`
`3484`	`3485`	`* Reset getopt(3) library so that it will work correctly in subprocesses`
`3485`	`3486`	`* or when this function is called a second time with another array.`
`@@ -3488,8 +3489,6 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)`
`3488`	`3489`	`#ifdefHAVE_INT_OPTRESET`
`3489`	`3490`	`optreset=1;/* some systems need this too */`
`3490`	`3491`	`#endif`
`3491`		`-`
`3492`		`-returndbname;`
`3493`	`3492`	`}`
`3494`	`3493`
`3495`	`3494`
`@@ -3499,14 +3498,16 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)`
`3499`	`3498`	`*`
`3500`	`3499`	`* argc/argv are the command line arguments to be used. (When being forked`
`3501`	`3500`	`* by the postmaster, these are not the original argv array of the process.)`
`3502`		`- * username is the (possibly authenticated) PostgreSQL user name to be used`
`3503`		`- * for the session.`
	`3501`	`+ * dbname is the name of the database to connect to, or NULL if the database`
	`3502`	`+ * name should be extracted from the command line arguments or defaulted.`
	`3503`	`+ * username is the PostgreSQL user name to be used for the session.`
`3504`	`3504`	`* ----------------------------------------------------------------`
`3505`	`3505`	`*/`
`3506`	`3506`	`int`
`3507`		`-PostgresMain(intargc,charargv[],constcharusername)`
	`3507`	`+PostgresMain(intargc,char*argv[],`
	`3508`	`+constchar*dbname,`
	`3509`	`+constchar*username)`
`3508`	`3510`	`{`
`3509`		`-constchar*dbname;`
`3510`	`3511`	`intfirstchar;`
`3511`	`3512`	`StringInfoDatainput_message;`
`3512`	`3513`	`sigjmp_buflocal_sigjmp_buf;`
`@@ -3553,7 +3554,7 @@ PostgresMain(int argc, char argv[], const char username)`
`3553`	`3554`	`/*`
`3554`	`3555`	`* Parse command-line options.`
`3555`	`3556`	`*/`
`3556`		`-dbname=process_postgres_switches(argc,argv,PGC_POSTMASTER);`
	`3557`	`+process_postgres_switches(argc,argv,PGC_POSTMASTER,&dbname);`
`3557`	`3558`
`3558`	`3559`	`/* Must have gotten a database name, or have a default (the username) */`
`3559`	`3560`	`if (dbname==NULL)`

`‎src/backend/utils/init/postinit.c`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -912,7 +912,7 @@ process_startup_options(Port *port, bool am_superuser)`
`912`	`912`
`913`	`913`	`Assert(ac<maxac);`
`914`	`914`
`915`		`-(void)process_postgres_switches(ac,av,gucctx);`
	`915`	`+(void)process_postgres_switches(ac,av,gucctx,NULL);`
`916`	`916`	`}`
`917`	`917`
`918`	`918`	`/*`

`‎src/include/tcop/tcopprot.h`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -68,9 +68,10 @@ extern void RecoveryConflictInterrupt(ProcSignalReason reason); /* called from S`
`68`	`68`	`* handler */`
`69`	`69`	`externvoidprepare_for_client_read(void);`
`70`	`70`	`externvoidclient_read_ended(void);`
`71`		`-externconstcharprocess_postgres_switches(intargc,charargv[],`
`72`		`-GucContextctx);`
`73`		`-externintPostgresMain(intargc,charargv[],constcharusername);`
	`71`	`+externvoidprocess_postgres_switches(intargc,char*argv[],`
	`72`	`+GucContextctx,constchar**dbname);`
	`73`	`+externintPostgresMain(intargc,char*argv[],`
	`74`	`+constchardbname,constcharusername);`
`74`	`75`	`externlongget_stack_depth_rlimit(void);`
`75`	`76`	`externvoidResetUsage(void);`
`76`	`77`	`externvoidShowUsage(constchar*title);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitddf1772

File tree

5 files changed

5 files changed

`‎src/backend/main/main.c`

`‎src/backend/postmaster/postmaster.c`

`‎src/backend/tcop/postgres.c`

`‎src/backend/utils/init/postinit.c`

`‎src/include/tcop/tcopprot.h`

0 commit comments