- Notifications
You must be signed in to change notification settings - Fork28
Commitf6f735f
committed
Fix failure to reset libpq's state fully between connection attempts.
The logic in PQconnectPoll() did not take care to ensure that all ofa PGconn's internal state variables were reset before trying a newconnection attempt. If we got far enough in the connection sequenceto have changed any of these variables, and then decided to try a newserver address or server name, the new connection might be completedwith some state that really only applied to the failed connection.While this has assorted bad consequences, the only one that is clearlya security issue is that password_needed didn't get reset, so thatif the first server asked for a password and the second didn't,PQconnectionUsedPassword() would return an incorrect result. Thiscould be leveraged by unprivileged users of dblink or postgres_fdwto allow them to use server-side login credentials that they shouldnot be able to use.Other notable problems include the possibility of forcing a v2-protocolconnection to a server capable of supporting v3, or overriding"sslmode=prefer" to cause a non-encrypted connection to a server thatwould have accepted an encrypted one. Those are certainly bugs butit's harder to paint them as security problems in themselves. However,forcing a v2-protocol connection could result in libpq having a wrongidea of the server's standard_conforming_strings setting, which opensthe door to SQL-injection attacks. The extent to which that's actuallya problem, given the prerequisite that the attacker needs control ofthe client's connection parameters, is unclear.These problems have existed for a long time, but became more easilyexploitable in v10, both because it introduced easy ways to force libpqto abandon a connection attempt at a late stage and then try another one(rather than just giving up), and because it provided an easy way tospecify multiple target hosts.Fix by rearranging PQconnectPoll's state machine to provide centralizedplaces to reset state properly when moving to a new target host or whendropping and retrying a connection to the same host.Tom Lane, reviewed by Noah Misch. Our thanks to Andrew Krasichkovfor finding and reporting the problem.Security:CVE-2018-109151 parentc6db605 commitf6f735f
2 files changed
+297
-200
lines changed0 commit comments
Comments
(0)