rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

stringToNode() and deparse_expression_pretty() crash on invalid input, 

but we have nevertheless exposed them to users via pg_get_expr(). It would
be too much maintenance effort to rigorously check the input, so put a hack
in place instead to restrict pg_get_expr() so that the argument must come
from one of the system catalog columns known to contain valid expressions.

Per report from Rushabh Lathia. Backpatch to 7.4 which is the oldest
supported version at the moment.
This commit is contained in:
Heikki Linnakangas 2010-06-30 18:11:32 +00:00
parent 221f4def6c
commit 8f36605efc
3 changed files with 96 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
src/backend/parser/parse_expr.c
View File

@ -8,13 +8,16 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/parser/parse_expr.c,v 1.179.4.3 2005/11/18 23:08:28 tgl Exp $
* $PostgreSQL: pgsql/src/backend/parser/parse_expr.c,v 1.179.4.4 2010/06/30 18:11:31 heikki Exp $
*
*-------------------------------------------------------------------------
*/
#include "postgres.h"
#include "catalog/catname.h"
#include "catalog/pg_attrdef.h"
#include "catalog/pg_constraint.h"
#include "catalog/pg_operator.h"
#include "catalog/pg_proc.h"
#include "commands/dbcommands.h"
@ -32,6 +35,7 @@
#include "parser/parse_relation.h"
#include "parser/parse_type.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/lsyscache.h"
#include "utils/syscache.h"
@ -435,6 +439,82 @@ transformExpr(ParseState *pstate, Node *expr)
fn->agg_star,
fn->agg_distinct,
false);
/*
* pg_get_expr() is a system function that exposes the
* expression deparsing functionality in ruleutils.c to users.
* Very handy, but it was later realized that the functions in
* ruleutils.c don't check the input rigorously, assuming it to
* come from system catalogs and to therefore be valid. That
* makes it easy for a user to crash the backend by passing a
* maliciously crafted string representation of an expression
* to pg_get_expr().
*
* There's a lot of code in ruleutils.c, so it's not feasible
* to add water-proof input checking after the fact. Even if
* we did it once, it would need to be taken into account in
* any future patches too.
*
* Instead, we restrict pg_rule_expr() to only allow input from
* system catalogs instead. This is a hack, but it's the most
* robust and easiest to backpatch way of plugging the
* vulnerability.
*
* This is transparent to the typical usage pattern of
* "pg_get_expr(systemcolumn, ...)", but will break
* "pg_get_expr('foo', ...)", even if 'foo' is a valid
* expression fetched earlier from a system catalog. Hopefully
* there's isn't many clients doing that out there.
*/
if (result && IsA(result, FuncExpr) && !superuser())
{
FuncExpr *fe = (FuncExpr *) result;
if (fe->funcid == F_PG_GET_EXPR ||
fe->funcid == F_PG_GET_EXPR_EXT)
{
Expr *arg = linitial(fe->args);
bool allowed = false;
/*
* Check that the argument came directly from one of the
* allowed system catalog columns
*/
if (IsA(arg, Var))
{
Var *var = (Var *) arg;
RangeTblEntry *rte;
rte = GetRTEByRangeTablePosn(pstate,
var->varno, var->varlevelsup);
if (rte->relid == get_system_catalog_relid(IndexRelationName))
{
if (var->varattno == Anum_pg_index_indexprs ||
var->varattno == Anum_pg_index_indpred)
allowed = true;
}
else if (rte->relid == get_system_catalog_relid(AttrDefaultRelationName))
{
if (var->varattno == Anum_pg_attrdef_adbin)
allowed = true;
}
else if (rte->relid == get_system_catalog_relid(ConstraintRelationName))
{
if (var->varattno == Anum_pg_constraint_conbin)
allowed = true;
}
else if (rte->relid == get_system_catalog_relid(TypeRelationName))
{
if (var->varattno == Anum_pg_type_typdefaultbin)
allowed = true;
}
}
if (!allowed)
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("argument to pg_get_expr() must come from system catalogs")));
}
}
break;
}
case T_SubLink:

13
src/backend/tcop/fastpath.c
View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/tcop/fastpath.c,v 1.77.4.1 2006/06/11 15:49:46 tgl Exp $
* $PostgreSQL: pgsql/src/backend/tcop/fastpath.c,v 1.77.4.2 2010/06/30 18:11:32 heikki Exp $
*
* NOTES
* This cruft is the server side of PQfn.
@ -28,6 +28,7 @@
#include "tcop/fastpath.h"
#include "tcop/tcopprot.h"
#include "utils/acl.h"
#include "utils/fmgroids.h"
#include "utils/lsyscache.h"
#include "utils/syscache.h"
#include "utils/tqual.h"
@ -345,6 +346,16 @@ HandleFunctionRequest(StringInfo msgBuf)
aclcheck_error(aclresult, ACL_KIND_PROC,
get_func_name(fid));
/*
* Restrict access to pg_get_expr(). This reflects the hack in
* transformExpr() in parse_expr.c, see comments there on FuncCall for an
* explanation.
*/
if ((fid == F_PG_GET_EXPR || fid == F_PG_GET_EXPR_EXT) && !superuser())
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("argument to pg_get_expr() must come from system catalogs")));
/*
* Prepare function call info block and insert arguments.
*/

4
src/include/catalog/pg_constraint.h
View File

@ -8,7 +8,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* $PostgreSQL: pgsql/src/include/catalog/pg_constraint.h,v 1.14 2004/12/31 22:03:24 pgsql Exp $
* $PostgreSQL: pgsql/src/include/catalog/pg_constraint.h,v 1.14.4.1 2010/06/30 18:11:32 heikki Exp $
*
* NOTES
* the genbki.sh script reads this file and generates .bki
@ -19,6 +19,8 @@
#ifndef PG_CONSTRAINT_H
#define PG_CONSTRAINT_H
#include "nodes/pg_list.h"
/* ----------------
* postgres.h contains the system type definitions and the
* CATALOG(), BOOTSTRAP and DATA() sugar words so this file