From: Marko Kreen Date: Mon, 6 Sep 2010 14:00:32 +0000 (+0300) Subject: new config var: disable_pqexec X-Git-Tag: pgbouncer_1_4_rc3~55 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=032e32847acbec3c41a5a0b54f6a3b0c3e08bc29;p=pgbouncer new config var: disable_pqexec --- diff --git a/doc/config.txt b/doc/config.txt index de60817..08a6d3a 100644 --- a/doc/config.txt +++ b/doc/config.txt @@ -175,6 +175,15 @@ specified here, so that pgbouncer knows that they are handled by admin and it ca Default: empty +==== disable_pqexec ==== + +Disable Simple Query protocol (PQexec). Unlike Extended Query protocol, Simple Query +allows multiple queries in one packet, which allows some classes of SQL-injection +attacks. Disabling it can improve security. Obviously this means only clients that +exclusively use Extended Query protocol will stay working. + +Default: 0 + === Log settings === ==== syslog ==== diff --git a/include/bouncer.h b/include/bouncer.h index 277f58d..e989dca 100644 --- a/include/bouncer.h +++ b/include/bouncer.h @@ -340,6 +340,7 @@ extern usec_t cf_query_wait_timeout; extern usec_t cf_client_idle_timeout; extern usec_t cf_client_login_timeout; extern int cf_server_round_robin; +extern int cf_disable_pqexec; extern int cf_auth_type; extern char *cf_auth_file; diff --git a/src/client.c b/src/client.c index c23b561..f659a8d 100644 --- a/src/client.c +++ b/src/client.c @@ -291,14 +291,19 @@ static bool handle_client_work(PgSocket *client, PktHdr *pkt) switch (pkt->type) { - /* request immidiate response from server */ - case 'H': /* Flush */ - case 'S': /* Sync */ - /* one-packet queries */ case 'Q': /* Query */ + if (cf_disable_pqexec) { + slog_error(client, "Client used 'Q' packet type."); + disconnect_client(client, true, "PQexec disallowed"); + return false; + } case 'F': /* FunctionCall */ + /* request immidiate response from server */ + case 'H': /* Flush */ + case 'S': /* Sync */ + /* copy end markers */ case 'c': /* CopyDone(F/B) */ case 'f': /* CopyFail(F/B) */ diff --git a/src/main.c b/src/main.c index 560b100..8ebc01f 100644 --- a/src/main.c +++ b/src/main.c @@ -98,6 +98,7 @@ char *cf_server_reset_query = ""; char *cf_server_check_query = "select 1"; usec_t cf_server_check_delay = 30 * USEC; int cf_server_round_robin = 0; +int cf_disable_pqexec = 0; char *cf_ignore_startup_params = ""; @@ -174,6 +175,7 @@ ConfElem bouncer_params[] = { {"server_round_robin", true, CF_INT, &cf_server_round_robin}, {"suspend_timeout", true, CF_TIME, &cf_suspend_timeout}, {"ignore_startup_parameters", true, CF_STR, &cf_ignore_startup_params}, +{"disable_pqexec", false, CF_INT, &cf_disable_pqexec}, {"pkt_buf", false, CF_INT, &cf_sbuf_len}, {"sbuf_loopcnt", true, CF_INT, &cf_sbuf_loopcnt},