Commit 17fe2793 authored by Tom Lane's avatar Tom Lane

Fix insecure parsing of server command-line switches.

An oversight in commit e710b65c allowed
database names beginning with "-" to be treated as though they were secure
command-line switches; and this switch processing occurs before client
authentication, so that even an unprivileged remote attacker could exploit
the bug, needing only connectivity to the postmaster's port.  Assorted
exploits for this are possible, some requiring a valid database login,
some not.  The worst known problem is that the "-r" switch can be invoked
to redirect the process's stderr output, so that subsequent error messages
will be appended to any file the server can write.  This can for example be
used to corrupt the server's configuration files, so that it will fail when
next restarted.  Complete destruction of database tables is also possible.

Fix by keeping the database name extracted from a startup packet fully
separate from command-line switches, as had already been done with the
user name field.

The Postgres project thanks Mitsumasa Kondo for discovering this bug,
Kyotaro Horiguchi for drafting the fix, and Noah Misch for recognizing
the full extent of the danger.

Security: CVE-2013-1899
parent ce9ab889
...@@ -189,7 +189,9 @@ main(int argc, char *argv[]) ...@@ -189,7 +189,9 @@ main(int argc, char *argv[])
else if (argc > 1 && strcmp(argv[1], "--describe-config") == 0) else if (argc > 1 && strcmp(argv[1], "--describe-config") == 0)
GucInfoMain(); /* does not return */ GucInfoMain(); /* does not return */
else if (argc > 1 && strcmp(argv[1], "--single") == 0) else if (argc > 1 && strcmp(argv[1], "--single") == 0)
PostgresMain(argc, argv, get_current_username(progname)); /* does not return */ PostgresMain(argc, argv,
NULL, /* no dbname */
get_current_username(progname)); /* does not return */
else else
PostmasterMain(argc, argv); /* does not return */ PostmasterMain(argc, argv); /* does not return */
abort(); /* should not get here */ abort(); /* should not get here */
......
...@@ -3943,7 +3943,7 @@ BackendRun(Port *port) ...@@ -3943,7 +3943,7 @@ BackendRun(Port *port)
* from ExtraOptions is (strlen(ExtraOptions) + 1) / 2; see * from ExtraOptions is (strlen(ExtraOptions) + 1) / 2; see
* pg_split_opts(). * pg_split_opts().
*/ */
maxac = 5; /* for fixed args supplied below */ maxac = 2; /* for fixed args supplied below */
maxac += (strlen(ExtraOptions) + 1) / 2; maxac += (strlen(ExtraOptions) + 1) / 2;
av = (char **) MemoryContextAlloc(TopMemoryContext, av = (char **) MemoryContextAlloc(TopMemoryContext,
...@@ -3959,11 +3959,6 @@ BackendRun(Port *port) ...@@ -3959,11 +3959,6 @@ BackendRun(Port *port)
*/ */
pg_split_opts(av, &ac, ExtraOptions); pg_split_opts(av, &ac, ExtraOptions);
/*
* Tell the backend which database to use.
*/
av[ac++] = port->database_name;
av[ac] = NULL; av[ac] = NULL;
Assert(ac < maxac); Assert(ac < maxac);
...@@ -3986,7 +3981,7 @@ BackendRun(Port *port) ...@@ -3986,7 +3981,7 @@ BackendRun(Port *port)
*/ */
MemoryContextSwitchTo(TopMemoryContext); MemoryContextSwitchTo(TopMemoryContext);
PostgresMain(ac, av, port->user_name); PostgresMain(ac, av, port->database_name, port->user_name);
} }
......
...@@ -3247,13 +3247,14 @@ get_stats_option_name(const char *arg) ...@@ -3247,13 +3247,14 @@ get_stats_option_name(const char *arg)
* coming from the client, or PGC_SUSET for insecure options coming from * coming from the client, or PGC_SUSET for insecure options coming from
* a superuser client. * a superuser client.
* *
* Returns the database name extracted from the command line, if any. * If a database name is present in the command line arguments, it's
* returned into *dbname (this is allowed only if *dbname is initially NULL).
* ---------------------------------------------------------------- * ----------------------------------------------------------------
*/ */
const char * void
process_postgres_switches(int argc, char *argv[], GucContext ctx) process_postgres_switches(int argc, char *argv[], GucContext ctx,
const char **dbname)
{ {
const char *dbname;
bool secure = (ctx == PGC_POSTMASTER); bool secure = (ctx == PGC_POSTMASTER);
int errs = 0; int errs = 0;
GucSource gucsource; GucSource gucsource;
...@@ -3304,7 +3305,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx) ...@@ -3304,7 +3305,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)
case 'b': case 'b':
/* Undocumented flag used for binary upgrades */ /* Undocumented flag used for binary upgrades */
IsBinaryUpgrade = true; if (secure)
IsBinaryUpgrade = true;
break; break;
case 'C': case 'C':
...@@ -3321,7 +3323,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx) ...@@ -3321,7 +3323,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)
break; break;
case 'E': case 'E':
EchoQuery = true; if (secure)
EchoQuery = true;
break; break;
case 'e': case 'e':
...@@ -3346,7 +3349,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx) ...@@ -3346,7 +3349,8 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)
break; break;
case 'j': case 'j':
UseNewLine = 0; if (secure)
UseNewLine = 0;
break; break;
case 'k': case 'k':
...@@ -3464,13 +3468,10 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx) ...@@ -3464,13 +3468,10 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)
} }
/* /*
* Should be no more arguments except an optional database name, and * Optional database name should be there only if *dbname is NULL.
* that's only in the secure case.
*/ */
if (!errs && secure && argc - optind >= 1) if (!errs && dbname && *dbname == NULL && argc - optind >= 1)
dbname = strdup(argv[optind++]); *dbname = strdup(argv[optind++]);
else
dbname = NULL;
if (errs || argc != optind) if (errs || argc != optind)
{ {
...@@ -3499,8 +3500,6 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx) ...@@ -3499,8 +3500,6 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)
#ifdef HAVE_INT_OPTRESET #ifdef HAVE_INT_OPTRESET
optreset = 1; /* some systems need this too */ optreset = 1; /* some systems need this too */
#endif #endif
return dbname;
} }
...@@ -3510,14 +3509,16 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx) ...@@ -3510,14 +3509,16 @@ process_postgres_switches(int argc, char *argv[], GucContext ctx)
* *
* argc/argv are the command line arguments to be used. (When being forked * argc/argv are the command line arguments to be used. (When being forked
* by the postmaster, these are not the original argv array of the process.) * by the postmaster, these are not the original argv array of the process.)
* username is the (possibly authenticated) PostgreSQL user name to be used * dbname is the name of the database to connect to, or NULL if the database
* for the session. * name should be extracted from the command line arguments or defaulted.
* username is the PostgreSQL user name to be used for the session.
* ---------------------------------------------------------------- * ----------------------------------------------------------------
*/ */
void void
PostgresMain(int argc, char *argv[], const char *username) PostgresMain(int argc, char *argv[],
const char *dbname,
const char *username)
{ {
const char *dbname;
int firstchar; int firstchar;
StringInfoData input_message; StringInfoData input_message;
sigjmp_buf local_sigjmp_buf; sigjmp_buf local_sigjmp_buf;
...@@ -3564,7 +3565,7 @@ PostgresMain(int argc, char *argv[], const char *username) ...@@ -3564,7 +3565,7 @@ PostgresMain(int argc, char *argv[], const char *username)
/* /*
* Parse command-line options. * Parse command-line options.
*/ */
dbname = process_postgres_switches(argc, argv, PGC_POSTMASTER); process_postgres_switches(argc, argv, PGC_POSTMASTER, &dbname);
/* Must have gotten a database name, or have a default (the username) */ /* Must have gotten a database name, or have a default (the username) */
if (dbname == NULL) if (dbname == NULL)
......
...@@ -969,7 +969,7 @@ process_startup_options(Port *port, bool am_superuser) ...@@ -969,7 +969,7 @@ process_startup_options(Port *port, bool am_superuser)
Assert(ac < maxac); Assert(ac < maxac);
(void) process_postgres_switches(ac, av, gucctx); (void) process_postgres_switches(ac, av, gucctx, NULL);
} }
/* /*
......
...@@ -69,9 +69,11 @@ extern void RecoveryConflictInterrupt(ProcSignalReason reason); /* called from S ...@@ -69,9 +69,11 @@ extern void RecoveryConflictInterrupt(ProcSignalReason reason); /* called from S
* handler */ * handler */
extern void prepare_for_client_read(void); extern void prepare_for_client_read(void);
extern void client_read_ended(void); extern void client_read_ended(void);
extern const char *process_postgres_switches(int argc, char *argv[], extern void process_postgres_switches(int argc, char *argv[],
GucContext ctx); GucContext ctx, const char **dbname);
extern void PostgresMain(int argc, char *argv[], const char *username) __attribute__((noreturn)); extern void PostgresMain(int argc, char *argv[],
const char *dbname,
const char *username) __attribute__((noreturn));
extern long get_stack_depth_rlimit(void); extern long get_stack_depth_rlimit(void);
extern void ResetUsage(void); extern void ResetUsage(void);
extern void ShowUsage(const char *title); extern void ShowUsage(const char *title);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment