Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitaa27977

Browse files
committed
Support explicit placement of the temporary-table schema within search_path.
This is needed to allow a security-definer function to set a truly securevalue of search_path. Without it, a malicious user can use temporary objectsto execute code with the privileges of the security-definer function. Evenpushing the temp schema to the back of the search path is not quite goodenough, because a function or operator at the back of the path might stillcapture control from one nearer the front due to having a more exact datatypematch. Hence, disable searching the temp schema altogether for functions andoperators.Security:CVE-2007-2138
1 parent9350056 commitaa27977

File tree

7 files changed

+481
-66
lines changed

7 files changed

+481
-66
lines changed

‎doc/src/sgml/config.sgml

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.121 2007/04/18 16:44:17 alvherre Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.122 2007/04/20 02:37:37 tgl Exp $ -->
22

33
<chapter Id="runtime-config">
44
<title>Server Configuration</title>
@@ -3405,9 +3405,17 @@ SELECT * FROM parent WHERE key = 2400;
34053405
mentioned in the path then it will be searched in the specified
34063406
order. If <literal>pg_catalog</> is not in the path then it will
34073407
be searched <emphasis>before</> searching any of the path items.
3408-
It should also be noted that the temporary-table schema,
3409-
<literal>pg_temp_<replaceable>nnn</></>, is implicitly searched before any of
3410-
these.
3408+
</para>
3409+
3410+
<para>
3411+
Likewise, the current session's temporary-table schema,
3412+
<literal>pg_temp_<replaceable>nnn</></>, is always searched if it
3413+
exists. It can be explicitly listed in the path by using the
3414+
alias <literal>pg_temp</>. If it is not listed in the path then
3415+
it is searched first (before even <literal>pg_catalog</>). However,
3416+
the temporary schema is only searched for relation (table, view,
3417+
sequence, etc) and data type names. It will never be searched for
3418+
function or operator names.
34113419
</para>
34123420

34133421
<para>

‎doc/src/sgml/ref/create_function.sgml

Lines changed: 49 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/create_function.sgml,v 1.73 2007/02/01 19:10:24 momjian Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/create_function.sgml,v 1.74 2007/04/20 02:37:37 tgl Exp $
33
-->
44

55
<refentry id="SQL-CREATEFUNCTION">
@@ -508,6 +508,54 @@ SELECT * FROM dup(42);
508508
</para>
509509
</refsect1>
510510

511+
<refsect1 id="sql-createfunction-security">
512+
<title>Writing <literal>SECURITY DEFINER</literal> Functions Safely</title>
513+
514+
<para>
515+
Because a <literal>SECURITY DEFINER</literal> function is executed
516+
with the privileges of the user that created it, care is needed to
517+
ensure that the function cannot be misused. For security,
518+
<xref linkend="guc-search-path"> should be set to exclude any schemas
519+
writable by untrusted users. This prevents
520+
malicious users from creating objects that mask objects used by the
521+
function. Particularly important is in this regard is the
522+
temporary-table schema, which is searched first by default, and
523+
is normally writable by anyone. A secure arrangement can be had
524+
by forcing the temporary schema to be searched last. To do this,
525+
write <literal>pg_temp</> as the last entry in <varname>search_path</>.
526+
This function illustrates safe usage:
527+
</para>
528+
529+
<programlisting>
530+
CREATE FUNCTION check_password(uname TEXT, pass TEXT)
531+
RETURNS BOOLEAN AS $$
532+
DECLARE passed BOOLEAN;
533+
old_path TEXT;
534+
BEGIN
535+
-- Save old search_path; notice we must qualify current_setting
536+
-- to ensure we invoke the right function
537+
old_path := pg_catalog.current_setting('search_path');
538+
539+
-- Set a secure search_path: trusted schemas, then 'pg_temp'.
540+
-- We set is_local = true so that the old value will be restored
541+
-- in event of an error before we reach the function end.
542+
PERFORM pg_catalog.set_config('search_path', 'admin, pg_temp', true);
543+
544+
-- Do whatever secure work we came for.
545+
SELECT (pwd = $2) INTO passed
546+
FROM pwds
547+
WHERE username = $1;
548+
549+
-- Restore caller's search_path
550+
PERFORM pg_catalog.set_config('search_path', old_path, true);
551+
552+
RETURN passed;
553+
END;
554+
$$ LANGUAGE plpgsql SECURITY DEFINER;
555+
</programlisting>
556+
557+
</refsect1>
558+
511559

512560
<refsect1 id="sql-createfunction-compat">
513561
<title>Compatibility</title>

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp