upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-06-13 18:50:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
postgresql/src
History
Noah Misch 12fd81cb7f Ignore attempts to \gset into specially treated variables. 
If an interactive psql session used \gset when querying a compromised
server, the attacker could execute arbitrary code as the operating
system account running psql.  Using a prefix not found among specially
treated variables, e.g. every lowercase string, precluded the attack.
Fix by issuing a warning and setting no variable for the column in
question.  Users wanting the old behavior can use a prefix and then a
meta-command like "\set HISTSIZE :prefix_HISTSIZE".  Back-patch to 9.5
(all supported versions).

Reviewed by Robert Haas.  Reported by Nick Cleaton.

Security: CVE-2020-25696
2020-11-09 07:32:14 -08:00
..
backend In security-restricted operations, block enqueue of at-commit user code. 2020-11-09 07:32:13 -08:00
bin Ignore attempts to \gset into specially treated variables. 2020-11-09 07:32:14 -08:00
common Replace use of sys_siglist[] with strsignal(). 2020-07-15 22:05:13 -04:00
fe_utils Fix translation of special characters in psql's LaTeX output modes. 2018-11-26 17:32:51 -05:00
include doc: improve description of synchronous_commit modes 2020-10-15 15:15:28 -04:00
interfaces Translation updates 2020-11-09 12:47:52 +01:00
makefiles Select CFLAGS_SL at configure time, not in platform-specific Makefiles. 2019-10-21 12:32:36 -04:00
pl Translation updates 2020-11-09 12:47:52 +01:00
port In the postmaster, rely on the signal infrastructure to block signals. 2020-10-15 12:50:57 -04:00
template Makefile comment: remove reference to tools/thread/thread_test 2020-10-27 14:00:43 -04:00
test Ignore attempts to \gset into specially treated variables. 2020-11-09 07:32:14 -08:00
timezone Update time zone data files to tzdata release 2020d. 2020-10-22 21:24:23 -04:00
tools Sync our copy of the timezone library with IANA release tzcode2020c. 2020-10-16 21:40:16 -04:00
tutorial Update copyright for 2016 2016-01-02 13:33:40 -05:00
.gitignore
bcc32.mak Autoconfiscate selection of 64-bit int type for 64-bit large object API. 2012-10-07 21:52:43 -04:00
DEVELOPERS
Makefile Install TAP test infrastructure so it's available for extension testing. 2016-09-23 15:50:00 -04:00
Makefile.global.in Select CFLAGS_SL at configure time, not in platform-specific Makefiles. 2019-10-21 12:32:36 -04:00
Makefile.shlib Ensure static libraries have correct mod time even if ranlib messes it up. 2018-11-29 15:53:44 -05:00
nls-global.mk nls-global.mk: search build dir for source files, too 2016-06-07 18:55:18 -04:00
win32.mak Autoconfiscate selection of 64-bit int type for 64-bit large object API. 2012-10-07 21:52:43 -04:00