The original patch to disallow non-passworded connections to non-superusers

failed to cover all the ways in which a connection can be initiated in dblink.
Plug the remaining holes.  Also, disallow transient connections in functions
for which that feature makes no sense (because they are only sensible as
part of a sequence of operations on the same connection).  Joe Conway

Security: CVE-2007-6601

diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c
index a7809317dc04c40e77fedad677d725b9491e35e6..2ed84da217de452ceb1f3a8f7f8e19adb5d73299 100644 (file)
--- a/contrib/dblink/dblink.c
+++ b/contrib/dblink/dblink.c
@@ -28,6 +28,8 @@
  */
 #include "postgres.h"
 
+#include <ctype.h>
+
 #include "libpq-fe.h"
 
 #include "fmgr.h"
@@ -73,6 +75,7 @@ static void append_res_ptr(dblink_results * results);
 static void remove_res_ptr(dblink_results * results);
 static char *generate_relation_name(Oid relid);
 static char *connstr_strip_password(const char *connstr);
+static void dblink_security_check(PGconn *conn, const char *connstr);
 
 /* Global */
 List      *res_id = NIL;
@@ -108,22 +111,10 @@ dblink_connect(PG_FUNCTION_ARGS)
 
        oldcontext = MemoryContextSwitchTo(TopMemoryContext);
 
-       /* for non-superusers, check that server requires a password */
-       if (!superuser())
-       {
-               /* this attempt must fail */
-               persistent_conn = PQconnectdb(connstr_strip_password(connstr));
-
-               if (PQstatus(persistent_conn) == CONNECTION_OK)
-               {
-                       PQfinish(persistent_conn);
-                       persistent_conn = NULL;
-                       elog(ERROR, "Non-superuser cannot connect if the server does not request a password.");
-               }
-               else
-                       PQfinish(persistent_conn);
-       }
+       /* check password used if not superuser */
+       dblink_security_check(persistent_conn, connstr);
        persistent_conn = PQconnectdb(connstr);
+
        MemoryContextSwitchTo(oldcontext);
 
        if (PQstatus(persistent_conn) == CONNECTION_BAD)
@@ -468,6 +459,8 @@ dblink_record(PG_FUNCTION_ARGS)
                        connstr = GET_STR(PG_GETARG_TEXT_P(0));
                        sql = GET_STR(PG_GETARG_TEXT_P(1));
 
+                       /* check password used if not superuser */
+                       dblink_security_check(conn, connstr);
                        conn = PQconnectdb(connstr);
                        if (PQstatus(conn) == CONNECTION_BAD)
                        {
@@ -652,6 +645,8 @@ dblink_exec(PG_FUNCTION_ARGS)
                connstr = GET_STR(PG_GETARG_TEXT_P(0));
                sql = GET_STR(PG_GETARG_TEXT_P(1));
 
+               /* check password used if not superuser */
+               dblink_security_check(conn, connstr);
                conn = PQconnectdb(connstr);
                if (PQstatus(conn) == CONNECTION_BAD)
                {
@@ -738,7 +733,8 @@ dblink(PG_FUNCTION_ARGS)
 
        if (fcinfo->flinfo->fn_extra == NULL)
        {
-
+               /* check password used if not superuser */
+               dblink_security_check(conn, optstr);
                conn = PQconnectdb(optstr);
                if (PQstatus(conn) == CONNECTION_BAD)
                {
@@ -2176,3 +2172,22 @@ connstr_strip_password(const char *connstr)
 
        return result.data;
 }
+
+static void
+dblink_security_check(PGconn *conn, const char *connstr)
+{
+       if (!superuser())
+       {
+               /* this attempt must fail */
+               conn = PQconnectdb(connstr_strip_password(connstr));
+
+               if (PQstatus(conn) == CONNECTION_OK)
+               {
+                       PQfinish(conn);
+                       conn = NULL;
+                       elog(ERROR, "Non-superuser cannot connect if the server does not request a password.");
+               }
+               else
+                       PQfinish(conn);
+       }
+}