projects / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 76a3e1d) | patch
Replace last PushOverrideSearchPath() call with set_config_option().
authorNoah Misch <[email protected]>
Mon, 8 May 2023 13:14:07 +0000 (06:14 -0700)
committerNoah Misch <[email protected]>
Mon, 8 May 2023 13:14:11 +0000 (06:14 -0700)
commit01e8182c73b24ec45849e369ad8b3ecd4ed1ba2b
tree86a919a9546a39fc8e09e6504689864935f9e955tree
parent76a3e1d7a8cb66a6f5f827623b37ea7bb22c1970commit | diff
Replace last PushOverrideSearchPath() call with set_config_option().

The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack.  This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser.  While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.

Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...).  It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages.  The "override" mechanism remains for now, for
compatibility with out-of-tree code.  Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).

Alexander Lakhin.  Reported by Alexander Lakhin.

Security: CVE-2023-2454
contrib/seg/Makefile diff | blob | blame | history
contrib/seg/expected/security.out [new file with mode: 0644] blob
contrib/seg/sql/security.sql [new file with mode: 0644] blob
src/backend/catalog/namespace.c diff | blob | blame | history
src/backend/commands/schemacmds.c diff | blob | blame | history
src/test/regress/expected/namespace.out diff | blob | blame | history
src/test/regress/sql/namespace.sql diff | blob | blame | history
This is the main PostgreSQL git repository.