diff options
author | Tom Lane | 2008-09-22 13:55:14 +0000 |
---|---|---|
committer | Tom Lane | 2008-09-22 13:55:14 +0000 |
commit | cae7ad906a0337120afe856b0a76b03b8ffc7440 (patch) | |
tree | ed5c181dfee6f69d46ecff8eaeaef77035c0466b /doc | |
parent | 579c025e5fc8d3cc42fc65e1b23da20c9c9f4866 (diff) |
Fix dblink_connect() so that it verifies that a password is supplied in the
conninfo string *before* trying to connect to the remote server, not after.
As pointed out by Marko Kreen, in certain not-very-plausible situations
this could result in sending a password from the postgres user's .pgpass file,
or other places that non-superusers shouldn't have access to, to an
untrustworthy remote server. The cleanest fix seems to be to expose libpq's
conninfo-string-parsing code so that dblink can check for a password option
without duplicating the parsing logic.
Joe Conway, with a little cleanup by Tom Lane
Diffstat (limited to 'doc')
-rw-r--r-- | doc/src/sgml/dblink.sgml | 13 | ||||
-rw-r--r-- | doc/src/sgml/libpq.sgml | 139 |
2 files changed, 114 insertions, 38 deletions
diff --git a/doc/src/sgml/dblink.sgml b/doc/src/sgml/dblink.sgml index dd0ea3ca2ba..92bb38b2f4e 100644 --- a/doc/src/sgml/dblink.sgml +++ b/doc/src/sgml/dblink.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/dblink.sgml,v 1.4 2008/04/04 16:57:21 momjian Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/dblink.sgml,v 1.5 2008/09/22 13:55:13 tgl Exp $ --> <sect1 id="dblink"> <title>dblink</title> @@ -140,12 +140,19 @@ involve a password, then impersonation and subsequent escalation of privileges can occur, because the session will appear to have originated from the user as which the local <productname>PostgreSQL</> - server runs. Therefore, <function>dblink_connect_u()</> is initially + server runs. Also, even if the remote server does demand a password, + it is possible for the password to be supplied from the server + environment, such as a <filename>~/.pgpass</> file belonging to the + server's user. This opens not only a risk of impersonation, but the + possibility of exposing a password to an untrustworthy remote server. + Therefore, <function>dblink_connect_u()</> is initially installed with all privileges revoked from <literal>PUBLIC</>, making it un-callable except by superusers. In some situations it may be appropriate to grant <literal>EXECUTE</> permission for <function>dblink_connect_u()</> to specific users who are considered - trustworthy, but this should be done with care. + trustworthy, but this should be done with care. It is also recommended + that any <filename>~/.pgpass</> file belonging to the server's user + <emphasis>not</> contain any records specifying a wildcard host name. </para> <para> diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 06c9b3849d0..4086f2f7b2e 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.263 2008/09/19 20:06:13 tgl Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.264 2008/09/22 13:55:13 tgl Exp $ --> <chapter id="libpq"> <title><application>libpq</application> - C Library</title> @@ -593,7 +593,7 @@ typedef struct char *compiled; /* Fallback compiled in default value */ char *val; /* Option's current value, or NULL */ char *label; /* Label for field in connect dialog */ - char *dispchar; /* Character to display for this field + char *dispchar; /* Indicates how to display this field in a connect dialog. Values are: "" Display entered value as is "*" Password field - hide value @@ -625,6 +625,51 @@ typedef struct </varlistentry> <varlistentry> + <term><function>PQconninfoParse</function><indexterm><primary>PQconninfoParse</></></term> + <listitem> + <para> + Returns parsed connection options from the provided connection string. + +<synopsis> +PQconninfoOption *PQconninfoParse(const char *conninfo, char **errmsg); +</synopsis> + </para> + + <para> + Parses a connection string and returns the resulting options as an + array; or returns NULL if there is a problem with the connection + string. This can be used to determine + the <function>PQconnectdb</function> options in the provided + connection string. The return value points to an array of + <structname>PQconninfoOption</structname> structures, which ends + with an entry having a null <structfield>keyword</> pointer. + </para> + + <para> + Note that only options explicitly specified in the string will have + values set in the result array; no defaults are inserted. + </para> + + <para> + If <literal>errmsg</> is not NULL, then <literal>*errmsg</> is set + to NULL on success, else to a malloc'd error string explaining + the problem. (It is also possible for <literal>*errmsg</> to be + set to NULL even when NULL is returned; this indicates an out-of-memory + situation.) + </para> + + <para> + After processing the options array, free it by passing it to + <function>PQconninfoFree</function>. If this is not done, some memory + is leaked for each call to <function>PQconninfoParse</function>. + Conversely, if an error occurs and <literal>errmsg</> is not NULL, + be sure to free the error string using <function>PQfreemem</>. + </para> + + </listitem> + </varlistentry> + + <varlistentry> <term><function>PQfinish</function><indexterm><primary>PQfinish</></></term> <listitem> <para> @@ -2985,39 +3030,6 @@ typedef struct { </para> </listitem> </varlistentry> - - <varlistentry> - <term> - <function>PQfreemem</function> - <indexterm> - <primary>PQfreemem</primary> - </indexterm> - </term> - - <listitem> - <para> - Frees memory allocated by <application>libpq</>. - <synopsis> - void PQfreemem(void *ptr); - </synopsis> - </para> - - <para> - Frees memory allocated by <application>libpq</>, particularly - <function>PQescapeByteaConn</function>, - <function>PQescapeBytea</function>, - <function>PQunescapeBytea</function>, - and <function>PQnotifies</function>. - It is particularly important that this function, rather than - <function>free()</>, be used on Microsoft Windows. This is because - allocating memory in a DLL and releasing it in the application works - only if multithreaded/single-threaded, release/debug, and static/dynamic - flags are the same for the DLL and the application. On non-Microsoft - Windows platforms, this function is the same as the standard library - function <function>free()</>. - </para> - </listitem> - </varlistentry> </variablelist> </sect2> @@ -4539,6 +4551,63 @@ char *pg_encoding_to_char(int <replaceable>encoding_id</replaceable>); <variablelist> <varlistentry> <term> + <function>PQfreemem</function> + <indexterm> + <primary>PQfreemem</primary> + </indexterm> + </term> + + <listitem> + <para> + Frees memory allocated by <application>libpq</>. + <synopsis> + void PQfreemem(void *ptr); + </synopsis> + </para> + + <para> + Frees memory allocated by <application>libpq</>, particularly + <function>PQescapeByteaConn</function>, + <function>PQescapeBytea</function>, + <function>PQunescapeBytea</function>, + and <function>PQnotifies</function>. + It is particularly important that this function, rather than + <function>free()</>, be used on Microsoft Windows. This is because + allocating memory in a DLL and releasing it in the application works + only if multithreaded/single-threaded, release/debug, and static/dynamic + flags are the same for the DLL and the application. On non-Microsoft + Windows platforms, this function is the same as the standard library + function <function>free()</>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <function>PQconninfoFree</function> + <indexterm> + <primary>PQconninfoFree</primary> + </indexterm> + </term> + + <listitem> + <para> + Frees the data structures allocated by + <function>PQconndefaults</> or <function>PQconninfoParse</>. + <synopsis> + void PQconninfoFree(PQconninfoOption *connOptions); + </synopsis> + </para> + + <para> + A simple <function>PQfreemem</function> will not do for this, since + the array contains references to subsidiary strings. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> <function>PQencryptPassword</function> <indexterm> <primary>PQencryptPassword</primary> |