git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Noah Misch <noah@leadboat.com>
	Mon, 8 May 2023 13:14:07 +0000 (06:14 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 8 May 2023 13:14:12 +0000 (06:14 -0700)
commit	23cb8eaeb97df350273cb8902e55842a955339c8
tree	a65eac5de3e0d5ba57fe3e87acd776468a3ffceb	tree \| snapshot
parent	625acd098b98fb955473bf87c78f49afd20eb7c9	commit \| diff

Replace last PushOverrideSearchPath() call with set_config_option().

The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack.  This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser.  While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.

Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...).  It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages.  The "override" mechanism remains for now, for
compatibility with out-of-tree code.  Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).

Alexander Lakhin.  Reported by Alexander Lakhin.

Security: CVE-2023-2454

src/backend/catalog/namespace.c		diff \| blob \| blame \| history
src/backend/commands/schemacmds.c		diff \| blob \| blame \| history
src/test/regress/expected/namespace.out		diff \| blob \| blame \| history
src/test/regress/sql/namespace.sql		diff \| blob \| blame \| history