Skip to content

Prevent possible search_path attacks #915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
knizhnik wants to merge 1 commit into
base: REL_16_STABLE_neon
Choose a base branch
from
Open

Prevent possible search_path attacks #915

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion src/backend/catalog/namespace.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ static SubTransactionId myTempNamespaceSubID = InvalidSubTransactionId;
* of the GUC variable 'search_path'.
*/
char *namespace_search_path = NULL;

bool prohibit_superuser_overrides;

/* Local functions */
static void recomputeNamespacePath(void);
Expand Down Expand Up @@ -961,6 +961,7 @@ FuncnameGetCandidates(List *names, int nargs, List *argnames,
Oid namespaceId;
CatCList *catlist;
int i;
bool has_superuser_candidate = false;

/* check for caller error */
Assert(nargs >= 0 || !(expand_variadic | expand_defaults));
Expand Down Expand Up @@ -1024,6 +1025,22 @@ FuncnameGetCandidates(List *names, int nargs, List *argnames,
continue; /* proc is not in search path */
}

/* prohibit overrides under superuser */
if (prohibit_superuser_overrides && superuser())
{
bool owned_by_superuser = superuser_arg(procform->proowner);

/* If we have superuser condidate, then ignore all non-supoeruser alternatives */
if (resultList && has_superuser_candidate && !owned_by_superuser)
continue;

/* If new candidate is owned by superuser then forget all non-superuser candidates */
if (owned_by_superuser && !has_superuser_candidate)
resultList = NULL;

has_superuser_candidate = owned_by_superuser;
}

/*
* If we are asked to match to OUT arguments, then use the
* proallargtypes array (which includes those); otherwise use
Expand Down Expand Up @@ -3917,6 +3934,10 @@ recomputeNamespacePath(void)
!list_member_oid(oidlist, myTempNamespace))
oidlist = lcons_oid(myTempNamespace, oidlist);

/* Always place pg_catalog at the beginning of search path */
if (prohibit_superuser_overrides && superuser())
oidlist = lcons_oid(PG_CATALOG_NAMESPACE, oidlist);

/*
* We want to detect the case where the effective value of the base search
* path variables didn't change. As long as we're doing so, we can avoid
Expand Down
1 change: 1 addition & 0 deletions src/include/catalog/namespace.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@ extern void AtEOSubXact_Namespace(bool isCommit, SubTransactionId mySubid,

/* stuff for search_path GUC variable */
extern PGDLLIMPORT char *namespace_search_path;
extern bool prohibit_superuser_overrides;

extern List *fetch_search_path(bool includeImplicit);
extern int fetch_search_path_array(Oid *sarray, int sarray_len);
Expand Down