From: | Noah Misch <noah(at)leadboat(dot)com> |
---|---|
To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | pgsql: Reject substituting extension schemas or owners matching ["$'\]. |
Date: | 2023-08-07 13:07:32 |
Message-ID: | E1qSzxL-000sDv-LZ@gemulon.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
Reject substituting extension schemas or owners matching ["$'\].
Substituting such values in extension scripts facilitated SQL injection
when @extowner@, @extschema@, or @extschema:...@ appeared inside a
quoting construct (dollar quoting, '', or ""). No bundled extension was
vulnerable. Vulnerable uses do appear in a documentation example and in
non-bundled extensions. Hence, the attack prerequisite was an
administrator having installed files of a vulnerable, trusted,
non-bundled extension. Subject to that prerequisite, this enabled an
attacker having database-level CREATE privilege to execute arbitrary
code as the bootstrap superuser. By blocking this attack in the core
server, there's no need to modify individual extensions. Back-patch to
v11 (all supported versions).
Reported by Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph
Berg.
Security: CVE-2023-39417
Branch
------
REL_14_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/d4648a74be07bfb23b449c722303c320297c0327
Modified Files
--------------
src/backend/commands/extension.c | 21 +++++++++++++++
src/test/modules/test_extensions/Makefile | 2 ++
.../test_extensions/expected/test_extensions.out | 30 ++++++++++++++--------
.../test_extensions/sql/test_extensions.sql | 17 +++++++++---
.../test_extensions/test_ext_extschema--1.0.sql | 5 ++++
.../test_extensions/test_ext_extschema.control | 3 +++
6 files changed, 63 insertions(+), 15 deletions(-)
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2023-08-07 16:50:41 | pgsql: Last-minute updates for release notes. |
Previous Message | Tom Lane | 2023-08-07 13:02:05 | Re: pgsql: Don't Memoize lateral joins with volatile join conditions |