]> granicus.if.org Git - postgresql/commit
Obstruct shell, SQL, and conninfo injection via database and role names.
authorNoah Misch <noah@leadboat.com>
Mon, 8 Aug 2016 14:07:46 +0000 (10:07 -0400)
committerNoah Misch <noah@leadboat.com>
Mon, 8 Aug 2016 14:07:54 +0000 (10:07 -0400)
commita2385cac135bb8498a12b1af2cde18244c7be2b1
tree129e12a8a5ec3b792144f0a7cee0f60907fb24ed
parentd2dd5df5142b1faf2c96ddf5f0c0b358b14f1ac9
Obstruct shell, SQL, and conninfo injection via database and role names.

Due to simplistic quoting and confusion of database names with conninfo
strings, roles with the CREATEDB or CREATEROLE option could escalate to
superuser privileges when a superuser next ran certain maintenance
commands.  The new coding rule for PQconnectdbParams() calls, documented
at conninfo_array_parse(), is to pass expand_dbname=true and wrap
literal database names in a trivial connection string.  Escape
zero-length values in appendConnStrVal().  Back-patch to 9.1 (all
supported versions).

Nathan Bossart, Michael Paquier, and Noah Misch.  Reviewed by Peter
Eisentraut.  Reported by Nathan Bossart.

Security: CVE-2016-5424
21 files changed:
contrib/pg_upgrade/check.c
contrib/pg_upgrade/dump.c
contrib/pg_upgrade/option.c
contrib/pg_upgrade/pg_upgrade.c
contrib/pg_upgrade/pg_upgrade.h
contrib/pg_upgrade/server.c
contrib/pg_upgrade/util.c
contrib/pg_upgrade/version.c
contrib/pg_upgrade/version_old_8_3.c
src/bin/pg_dump/dumputils.c
src/bin/pg_dump/dumputils.h
src/bin/pg_dump/pg_backup.h
src/bin/pg_dump/pg_backup_archiver.c
src/bin/pg_dump/pg_backup_db.c
src/bin/pg_dump/pg_dumpall.c
src/bin/psql/command.c
src/bin/scripts/Makefile
src/bin/scripts/clusterdb.c
src/bin/scripts/reindexdb.c
src/bin/scripts/vacuumdb.c
src/interfaces/libpq/fe-connect.c