From f6dc6dd5ba54d52c0733aaafc50da2fbaeabb8b0 Mon Sep 17 00:00:00 2001
From: Noah Misch
Date: Wed, 17 Dec 2014 22:48:40 -0500
Subject: Lock down regression testing temporary clusters on Windows.

Use SSPI authentication to allow connections exclusively from the OS
user that launched the test suite.  This closes on Windows the
vulnerability that commit be76a6d39e2832d4b88c0e1cc381aa44a7f86881
closed on other platforms.  Users of "make installcheck" or custom test
harnesses can run "pg_regress --config-auth=DATADIR" to activate the
same authentication configuration that "make check" would use.
Back-patch to 9.0 (all supported versions).

Security: CVE-2014-0067
---
 src/test/perl/TestLib.pm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'src/test/perl')

diff --git a/src/test/perl/TestLib.pm b/src/test/perl/TestLib.pm
index 46a8bece1e5..57abdb92bf4 100644
--- a/src/test/perl/TestLib.pm
+++ b/src/test/perl/TestLib.pm
@@ -7,6 +7,7 @@ use Exporter 'import';
 our @EXPORT = qw(
   tempdir
   tempdir_short
+  standard_initdb
   start_test_server
   restart_test_server
   psql
@@ -69,6 +70,14 @@ sub tempdir_short
 	return File::Temp::tempdir(CLEANUP => 1);
 }
 
+sub standard_initdb
+{
+	my $pgdata = shift;
+	system_or_bail("initdb -D '$pgdata' -A trust -N >/dev/null");
+	system_or_bail("$ENV{top_srcdir}/src/test/regress/pg_regress",
+				   '--config-auth', $pgdata);
+}
+
 my ($test_server_datadir, $test_server_logfile);
 
 sub start_test_server
@@ -78,7 +87,7 @@ sub start_test_server
 
 	my $tempdir_short = tempdir_short;
 
-	system "initdb -D '$tempdir'/pgdata -A trust -N >/dev/null";
+	standard_initdb "$tempdir/pgdata";
 	$ret = system 'pg_ctl', '-D', "$tempdir/pgdata", '-s', '-w', '-l',
 	  "$tempdir/logfile", '-o',
 	  "--fsync=off -k $tempdir_short --listen-addresses='' --log-statement=all",
-- 
cgit v1.2.3