Skip to content

Commit 60768ad

Browse files
svenklemmsvenklemm
committed
Add explicit pg_temp to search_path
When pg_temp is not part of search_path postgres will prepend it to search_path allowing shadowing of catalog objects leading to arbitrary code execution.
1 parent 800ddd3 commit 60768ad

2 files changed

Lines changed: 10 additions & 10 deletions

File tree

build_scripts/shared_install.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -271,12 +271,12 @@ DECLARE
271271
alter_sql text;
272272
BEGIN
273273
274-
SET local search_path to 'pg_catalog';
274+
SET local search_path to pg_catalog, pg_temp;
275275
276276
FOR alter_sql IN
277277
SELECT
278278
format(
279-
$$ALTER FUNCTION %I.%I(%s) SET search_path = 'pg_catalog'$$,
279+
$$ALTER FUNCTION %I.%I(%s) SET search_path = pg_catalog, pg_temp$$,
280280
nspname,
281281
proname,
282282
pg_catalog.pg_get_function_identity_arguments(pp.oid)

scripts/tsdbadmin.sql

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ CREATE OR REPLACE FUNCTION tsdbadmin.assert_admin(
4343
)
4444
RETURNS void
4545
LANGUAGE plpgsql
46-
SET search_path TO 'pg_catalog'
46+
SET search_path TO pg_catalog, pg_temp
4747
AS $function$
4848
DECLARE
4949
-- We need to ensure we get the correct role. As we may be called from Security Definer functions, we should
@@ -139,7 +139,7 @@ CREATE OR REPLACE FUNCTION tsdbadmin.assert_password_requirements(
139139
)
140140
RETURNS void
141141
LANGUAGE plpgsql
142-
SET search_path TO 'pg_catalog'
142+
SET search_path TO pg_catalog, pg_temp
143143
SET log_statement TO 'none' -- We do not want any function handling passwords to be logged
144144
AS $function$
145145
DECLARE
@@ -174,7 +174,7 @@ CREATE OR REPLACE FUNCTION tsdbadmin.reset_password(
174174
RETURNS record
175175
LANGUAGE plpgsql
176176
SECURITY DEFINER
177-
SET search_path TO 'pg_catalog'
177+
SET search_path TO pg_catalog, pg_temp
178178
SET log_statement TO 'none' -- We do not want any function handling passwords to be logged
179179
SET log_min_duration_statement TO '-1'
180180
SET pg_stat_statements.track_utility TO 'off'
@@ -225,7 +225,7 @@ $$
225225
DECLARE
226226
pgcrypto_namespace oid := (SELECT extnamespace FROM pg_extension WHERE extname='pgcrypto');
227227
BEGIN
228-
EXECUTE format('ALTER FUNCTION tsdbadmin.reset_password SET search_path TO pg_catalog, %s;', pgcrypto_namespace::regnamespace);
228+
EXECUTE format('ALTER FUNCTION tsdbadmin.reset_password SET search_path TO pg_catalog, %s, pg_temp;', pgcrypto_namespace::regnamespace);
229229

230230
/* We ensure the dependency we created on pgcrypto.gen_random_bytes is part of the catalogs
231231
@@ -239,7 +239,7 @@ BEGIN
239239
'tsdbadmin.reset_password'::regproc,
240240
0,
241241
'pg_catalog.pg_proc'::regclass,
242-
format('%s.gen_random_bytes', pgcrypto_namespace::regnamespace)::regproc,
242+
pg_catalog.format('%s.gen_random_bytes', pgcrypto_namespace::regnamespace)::regproc,
243243
0,
244244
'n'
245245
;
@@ -260,7 +260,7 @@ CREATE OR REPLACE FUNCTION tsdbadmin.alter_user(
260260
RETURNS name
261261
LANGUAGE plpgsql
262262
SECURITY DEFINER
263-
SET search_path TO 'pg_catalog'
263+
SET search_path TO pg_catalog, pg_temp
264264
SET log_statement TO 'none' -- We do not want any function handling passwords to be logged
265265
AS $function$
266266
DECLARE
@@ -328,7 +328,7 @@ CREATE OR REPLACE FUNCTION tsdbadmin.create_user(
328328
RETURNS record
329329
LANGUAGE plpgsql
330330
SECURITY DEFINER
331-
SET search_path TO 'pg_catalog'
331+
SET search_path TO pg_catalog, pg_temp
332332
SET log_statement TO 'none' -- We do not want any function handling passwords to be logged
333333
AS $function$
334334
DECLARE
@@ -379,7 +379,7 @@ CREATE OR REPLACE FUNCTION tsdbadmin.drop_user(
379379
RETURNS name
380380
LANGUAGE plpgsql
381381
SECURITY DEFINER
382-
SET search_path to 'pg_catalog'
382+
SET search_path to pg_catalog, pg_temp
383383
AS $function$
384384
BEGIN
385385
IF if_exists AND to_regrole(username) IS NULL

0 commit comments

Comments
 (0)