diff options
| author | Noah Misch | 2018-02-26 15:39:44 +0000 |
|---|---|---|
| committer | Noah Misch | 2018-02-26 15:39:48 +0000 |
| commit | 928bca1a30d7e05cc3857a99e27aa8ed08ed2fac (patch) | |
| tree | 4cde95cae4c2a06fd249123078e4b4255d00d17f /doc/src | |
| parent | 461c32b557ddbb0ed67b4b2232a191554ad40c3c (diff) | |
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
Diffstat (limited to 'doc/src')
0 files changed, 0 insertions, 0 deletions