mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Empty search_path in logical replication apply worker and walsender.

Browse Source 
This is like CVE-2018-1058 commit
582edc369cdbd348d68441fc50fa26a84afd0c1a.  Today, a malicious user of a
publisher or subscriber database can invoke arbitrary SQL functions
under an identity running replication, often a superuser.  This fix may
cause "does not exist" or "no schema has been selected to create in"
errors in a replication process.  After upgrading, consider watching
server logs for these errors.  Objects accruing schema qualification in
the wake of the earlier commit are unlikely to need further correction.
Back-patch to v10, which introduced logical replication.

Security: CVE-2020-14349
This commit is contained in:
Noah Misch 2020-08-10 09:22:54 -07:00
parent 41dae35532
commit 412c5c4010
3 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
View File

@ -21,6 +21,7 @@
#include "access/xlog.h" #include "access/xlog.h"
#include "catalog/pg_type.h" #include "catalog/pg_type.h"
#include "common/connect.h"
#include "funcapi.h" #include "funcapi.h"
#include "libpq-fe.h" #include "libpq-fe.h"
#include "mb/pg_wchar.h" #include "mb/pg_wchar.h"
@ -213,6 +214,22 @@ libpqrcv_connect(const char *conninfo, bool logical, const char *appname,
return NULL; return NULL;
} }
if (logical)
{
PGresult *res;
res = libpqrcv_PQexec(conn->streamConn,
ALWAYS_SECURE_SEARCH_PATH_SQL);
if (PQresultStatus(res) != PGRES_TUPLES_OK)
{
PQclear(res);
ereport(ERROR,
(errmsg("could not clear search path: %s",
pchomp(PQerrorMessage(conn->streamConn)))));
}
PQclear(res);
}
conn->logical = logical; conn->logical = logical;
return conn; return conn;

6
src/backend/replication/logical/worker.c
View File

@ -1988,6 +1988,12 @@ ApplyWorkerMain(Datum main_arg)
MyLogicalRepWorker->userid, MyLogicalRepWorker->userid,
0); 0);
/*
* Set always-secure search path, so malicious users can't redirect user
* code (e.g. pg_index.indexprs).
*/
SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
/* Load the subscription into persistent memory context. */ /* Load the subscription into persistent memory context. */
ApplyContext = AllocSetContextCreate(TopMemoryContext, ApplyContext = AllocSetContextCreate(TopMemoryContext,
"ApplyContext", "ApplyContext",

4
src/test/subscription/t/001_rep_changes.pl
View File

@ -16,6 +16,10 @@ $node_subscriber->init(allows_streaming => 'logical');
$node_subscriber->start; $node_subscriber->start;
# Create some preexisting content on publisher # Create some preexisting content on publisher
$node_publisher->safe_psql(
'postgres',
"CREATE FUNCTION public.pg_get_replica_identity_index(int)
RETURNS regclass LANGUAGE sql AS 'SELECT 1/0'"); # shall not call
$node_publisher->safe_psql('postgres', $node_publisher->safe_psql('postgres',
"CREATE TABLE tab_notrep AS SELECT generate_series(1,10) AS a"); "CREATE TABLE tab_notrep AS SELECT generate_series(1,10) AS a");
$node_publisher->safe_psql('postgres', $node_publisher->safe_psql('postgres',