git.postgresql.org Git - postgresql.git/commit

projects / postgresql.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: e8386b2) | patch

author	Noah Misch <noah@leadboat.com>
	Mon, 7 Aug 2023 13:05:56 +0000 (06:05 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 7 Aug 2023 13:05:59 +0000 (06:05 -0700)
commit	f53511010b72d7d314e22be7c63ef94792fee345
tree	54d4406af5746be10436d1afdfe269b47f899226	tree
parent	e8386b2cef7741aa4e49870691d67f792d5f6789	commit \| diff

Reject substituting extension schemas or owners matching ["$'\].

Substituting such values in extension scripts facilitated SQL injection
when @extowner@, @extschema@, or @extschema:...@ appeared inside a
quoting construct (dollar quoting, '', or "").  No bundled extension was
vulnerable.  Vulnerable uses do appear in a documentation example and in
non-bundled extensions.  Hence, the attack prerequisite was an
administrator having installed files of a vulnerable, trusted,
non-bundled extension.  Subject to that prerequisite, this enabled an
attacker having database-level CREATE privilege to execute arbitrary
code as the bootstrap superuser.  By blocking this attack in the core
server, there's no need to modify individual extensions.  Back-patch to
v11 (all supported versions).

Reported by Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph
Berg.

Security: CVE-2023-39417

src/backend/commands/extension.c		diff \| blob \| blame \| history
src/test/modules/test_extensions/Makefile		diff \| blob \| blame \| history
src/test/modules/test_extensions/expected/test_extensions.out		diff \| blob \| blame \| history
src/test/modules/test_extensions/meson.build		diff \| blob \| blame \| history
src/test/modules/test_extensions/sql/test_extensions.sql		diff \| blob \| blame \| history
src/test/modules/test_extensions/test_ext_extschema--1.0.sql	[new file with mode: 0644]	blob
src/test/modules/test_extensions/test_ext_extschema.control	[new file with mode: 0644]	blob

This is the main PostgreSQL git repository.