projects / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c8cdde6) | patch
Replace last PushOverrideSearchPath() call with set_config_option().
authorNoah Misch <noah@leadboat.com>
Mon, 8 May 2023 13:14:07 +0000 (06:14 -0700)
committerNoah Misch <noah@leadboat.com>
Mon, 8 May 2023 13:14:12 +0000 (06:14 -0700)
commit2212f7db80e9397825dea5f4947397665a7f60b8
tree0fa7be510be39fbbd07faafedd866d8f02f83f99tree
parentc8cdde66de612e3694ed8e17d581487f5d71becdcommit | diff
Replace last PushOverrideSearchPath() call with set_config_option().

The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack.  This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser.  While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.

Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...).  It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages.  The "override" mechanism remains for now, for
compatibility with out-of-tree code.  Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).

Alexander Lakhin.  Reported by Alexander Lakhin.

Security: CVE-2023-2454
contrib/seg/Makefile diff | blob | blame | history
contrib/seg/expected/security.out [new file with mode: 0644] blob
contrib/seg/sql/security.sql [new file with mode: 0644] blob
src/backend/catalog/namespace.c diff | blob | blame | history
src/backend/commands/schemacmds.c diff | blob | blame | history
src/test/regress/expected/namespace.out diff | blob | blame | history
src/test/regress/sql/namespace.sql diff | blob | blame | history
This is the main PostgreSQL git repository.