From 4aadfba465c1dc43fd6125a431a7c0c8e78f5d0e Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Thu, 13 May 2010 18:29:54 +0000
Subject: Prevent PL/Tcl from loading the "unknown" module from pltcl_modules
 unless that is a regular table or view owned by a superuser.  This prevents a
 trojan horse attack whereby any unprivileged SQL user could create such a
 table and insert code into it that would then get executed in other users'
 sessions whenever they call pltcl functions.

Worse yet, because the code was automatically loaded into both the "normal"
and "safe" interpreters at first use, the attacker could execute unrestricted
Tcl code in the "normal" interpreter without there being any pltclu functions
anywhere, or indeed anyone else using pltcl at all: installing pltcl is
sufficient to open the hole.  Change the initialization logic so that the
"unknown" code is only loaded into an interpreter when the interpreter is
first really used.  (That doesn't add any additional security in this
particular context, but it seems a prudent change, and anyway the former
behavior violated the principle of least astonishment.)

Security: CVE-2010-1170
---
 doc/src/sgml/pltcl.sgml | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/pltcl.sgml b/doc/src/sgml/pltcl.sgml
index b5f286bd1e5..d72e275ae77 100644
--- a/doc/src/sgml/pltcl.sgml
+++ b/doc/src/sgml/pltcl.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/pltcl.sgml,v 2.26.2.2 2004/01/24 23:06:41 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/pltcl.sgml,v 2.26.2.3 2010/05/13 18:29:54 tgl Exp $
 -->
 
  <chapter id="pltcl">
@@ -646,11 +646,13 @@ CREATE TRIGGER trig_mytab_modcount BEFORE INSERT OR UPDATE ON mytab
 	It recognizes a special table, <literal>pltcl_modules</>, which
 	is presumed to contain modules of Tcl code.  If this table
 	exists, the module <literal>unknown</> is fetched from the table
-	and loaded into the Tcl interpreter immediately after creating
-	the interpreter.
+	and loaded into the Tcl interpreter immediately before the first
+	execution of a PL/Tcl function in a database session.  (This
+	happens separately for PL/Tcl and PL/TclU, if both are used,
+	because separate interpreters are used for the two languages.)
        </para>
        <para>
-        While the <literal>unknown</> module could actually contain any
+	While the <literal>unknown</> module could actually contain any
 	initialization script you need, it normally defines a Tcl
 	<function>unknown</> procedure that is invoked whenever Tcl does
 	not recognize an invoked procedure name.  <application>PL/Tcl</>'s standard version
@@ -663,18 +665,22 @@ CREATE TRIGGER trig_mytab_modcount BEFORE INSERT OR UPDATE ON mytab
 	is reasonably quick.
        </para>
        <para>
-        The <productname>PostgreSQL</productname> distribution includes
+	The <productname>PostgreSQL</productname> distribution includes
 	support scripts to maintain these tables:
 	<command>pltcl_loadmod</>, <command>pltcl_listmod</>,
 	<command>pltcl_delmod</>, as well as source for the standard
-	<literal>unknown</> module in <filename>share/unknown.pltcl</>.  This module
+	<literal>unknown</> module in <filename>share/unknown.pltcl</>.	 This module
 	must be loaded
 	into each database initially to support the autoloading mechanism.
        </para>
        <para>
-        The tables <literal>pltcl_modules</> and <literal>pltcl_modfuncs</>
+	The tables <literal>pltcl_modules</> and <literal>pltcl_modfuncs</>
 	must be readable by all, but it is wise to make them owned and
-	writable only by the database administrator.
+	writable only by the database administrator.  As a security
+	precaution, PL/Tcl will ignore <literal>pltcl_modules</> (and thus,
+	not attempt to load the <literal>unknown</> module) unless it is
+	owned by a superuser.  But update privileges on this table can be
+	granted to other users, if you trust them sufficiently.
        </para>
    </sect1>
 
-- 
cgit v1.2.3