Default: empty
+==== disable_pqexec ====
+
+Disable Simple Query protocol (PQexec). Unlike Extended Query protocol, Simple Query
+allows multiple queries in one packet, which allows some classes of SQL-injection
+attacks. Disabling it can improve security. Obviously this means only clients that
+exclusively use Extended Query protocol will stay working.
+
+Default: 0
+
=== Log settings ===
==== syslog ====
extern usec_t cf_client_idle_timeout;
extern usec_t cf_client_login_timeout;
extern int cf_server_round_robin;
+extern int cf_disable_pqexec;
extern int cf_auth_type;
extern char *cf_auth_file;
switch (pkt->type) {
- /* request immidiate response from server */
- case 'H': /* Flush */
- case 'S': /* Sync */
-
/* one-packet queries */
case 'Q': /* Query */
+ if (cf_disable_pqexec) {
+ slog_error(client, "Client used 'Q' packet type.");
+ disconnect_client(client, true, "PQexec disallowed");
+ return false;
+ }
case 'F': /* FunctionCall */
+ /* request immidiate response from server */
+ case 'H': /* Flush */
+ case 'S': /* Sync */
+
/* copy end markers */
case 'c': /* CopyDone(F/B) */
case 'f': /* CopyFail(F/B) */
char *cf_server_check_query = "select 1";
usec_t cf_server_check_delay = 30 * USEC;
int cf_server_round_robin = 0;
+int cf_disable_pqexec = 0;
char *cf_ignore_startup_params = "";
{"server_round_robin", true, CF_INT, &cf_server_round_robin},
{"suspend_timeout", true, CF_TIME, &cf_suspend_timeout},
{"ignore_startup_parameters", true, CF_STR, &cf_ignore_startup_params},
+{"disable_pqexec", false, CF_INT, &cf_disable_pqexec},
{"pkt_buf", false, CF_INT, &cf_sbuf_len},
{"sbuf_loopcnt", true, CF_INT, &cf_sbuf_loopcnt},
projects / pgbouncer / commitdiff