mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-08-15 17:33:23 +02:00
The ability to create like-named objects in different schemas opens up the potential for users to change the behavior of other users' queries, maliciously or accidentally. When you connect to a PostgreSQL server, you should remove from your search_path any schema for which a user other than yourself or superusers holds the CREATE privilege. If you do not, other users holding CREATE privilege can redefine the behavior of your commands, causing them to perform arbitrary SQL statements under your identity. "SET search_path = ..." and "SELECT pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one can use either as the first command of a session. As special exceptions, the following client applications behave as documented regardless of search_path settings and schema privileges: clusterdb createdb createlang createuser dropdb droplang dropuser ecpg (not programs it generates) initdb oid2name pg_archivecleanup pg_basebackup pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb vacuumlo. Not included are core client programs that run user-specified SQL commands, namely psql and pgbench. PostgreSQL encourages non-core client applications to do likewise. Document this in the context of libpq connections, psql connections, dblink connections, ECPG connections, extension packaging, and schema usage patterns. The principal defense for applications is "SELECT pg_catalog.set_config('search_path', '', false)", and the principal defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC". Either one is sufficient to prevent attack. After a REVOKE, consider auditing the public schema for objects named like pg_catalog objects. Authors of SECURITY DEFINER functions use some of the same defenses, and the CREATE FUNCTION reference page already covered them thoroughly. This is a good opportunity to audit SECURITY DEFINER functions for robust security practice. Back-patch to 9.3 (all supported versions). Reviewed by Michael Paquier and Jonathan S. Katz. Reported by Arseniy Sharoglazov. Security: CVE-2018-1058 |
||
---|---|---|
.. | ||
authentication | ||
examples | ||
isolation | ||
ldap | ||
locale | ||
mb | ||
modules | ||
perl | ||
recovery | ||
regress | ||
ssl | ||
subscription | ||
thread | ||
Makefile | ||
README |
PostgreSQL tests ================ This directory contains a variety of test infrastructure as well as some of the tests in PostgreSQL. Not all tests are here -- in particular, there are more in individual contrib/ modules and in src/bin. Not all these tests get run by "make check". Check src/test/Makefile to see which tests get run automatically. authentication/ Tests for authentication examples/ Demonstration programs for libpq that double as regression tests via "make check" isolation/ Tests for concurrent behavior at the SQL level locale/ Sanity checks for locale data, encodings, etc mb/ Tests for multibyte encoding (UTF-8) support modules/ Extensions used only or mainly for test purposes, generally not suitable for installing in production databases perl/ Infrastructure for Perl-based TAP tests recovery/ Test suite for recovery and replication regress/ PostgreSQL's main regression test suite, pg_regress ssl/ Tests to exercise and verify SSL certificate handling subscription/ Tests for logical replication thread/ A thread-safety-testing utility used by configure