pgsql: Make contrib modules' installation scripts more secure. - Mailing list pgsql-committers
| From | Tom Lane |
|---|---|
| Subject | pgsql: Make contrib modules' installation scripts more secure. |
| Date | |
| Msg-id | E1k5933-0004Ac-Ol@gemulon.postgresql.org Whole thread Raw |
| List | pgsql-committers |
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/7eeb1d9861b0a3f453f8b31c7648396cdd7f1e59 Modified Files -------------- contrib/btree_gist/btree_gist--1.1--1.2.sql | 56 +++++--- contrib/citext/citext--1.1--1.2.sql | 26 +++- contrib/citext/citext--1.2--1.3.sql | 18 ++- contrib/cube/cube--1.1--1.2.sql | 25 +++- contrib/cube/cube--1.3--1.4.sql | 25 +++- contrib/earthdistance/earthdistance--1.1.sql | 2 +- contrib/earthdistance/earthdistance.control | 1 - contrib/hstore/hstore--1.1--1.2.sql | 9 +- contrib/hstore/hstore--1.3--1.4.sql | 35 +++-- contrib/hstore_plperl/hstore_plperl.control | 1 - contrib/intagg/intagg--1.0--1.1.sql | 14 +- contrib/intarray/intarray--1.1--1.2.sql | 27 +++- contrib/ltree/ltree--1.0--1.1.sql | 37 +++-- contrib/pg_trgm/pg_trgm--1.2--1.3.sql | 25 +++- contrib/seg/seg--1.0--1.1.sql | 23 ++- contrib/seg/seg--1.2--1.3.sql | 25 +++- doc/src/sgml/earthdistance.sgml | 27 +++- doc/src/sgml/extend.sgml | 203 ++++++++++++++++++++++----- doc/src/sgml/hstore.sgml | 12 +- doc/src/sgml/ltree.sgml | 9 ++ doc/src/sgml/ref/create_extension.sgml | 37 ++++- src/backend/commands/extension.c | 21 ++- src/backend/commands/operatorcmds.c | 26 +++- src/backend/commands/typecmds.c | 50 +++++-- 24 files changed, 575 insertions(+), 159 deletions(-)
pgsql-committers by date: