aboutsummaryrefslogtreecommitdiff
path: root/doc/src
diff options
context:
space:
mode:
authorTom Lane <tgl@sss.pgh.pa.us>2010-05-13 18:29:12 +0000
committerTom Lane <tgl@sss.pgh.pa.us>2010-05-13 18:29:12 +0000
commit9ead05b7c3d0fb48a2d5ac6ec0f51c4f276d581d (patch)
tree9befb341291b199108a212b1464d88c25d9039ad /doc/src
parent1f474d299d02c398fa627d09d23a7a6a1079a310 (diff)
downloadpostgresql-9ead05b7c3d0fb48a2d5ac6ec0f51c4f276d581d.tar.gz
postgresql-9ead05b7c3d0fb48a2d5ac6ec0f51c4f276d581d.zip
Prevent PL/Tcl from loading the "unknown" module from pltcl_modules unless
that is a regular table or view owned by a superuser. This prevents a trojan horse attack whereby any unprivileged SQL user could create such a table and insert code into it that would then get executed in other users' sessions whenever they call pltcl functions. Worse yet, because the code was automatically loaded into both the "normal" and "safe" interpreters at first use, the attacker could execute unrestricted Tcl code in the "normal" interpreter without there being any pltclu functions anywhere, or indeed anyone else using pltcl at all: installing pltcl is sufficient to open the hole. Change the initialization logic so that the "unknown" code is only loaded into an interpreter when the interpreter is first really used. (That doesn't add any additional security in this particular context, but it seems a prudent change, and anyway the former behavior violated the principle of least astonishment.) Security: CVE-2010-1170
Diffstat (limited to 'doc/src')
-rw-r--r--doc/src/sgml/pltcl.sgml14
1 files changed, 10 insertions, 4 deletions
diff --git a/doc/src/sgml/pltcl.sgml b/doc/src/sgml/pltcl.sgml
index c4ea226a7fe..5a425a8cb44 100644
--- a/doc/src/sgml/pltcl.sgml
+++ b/doc/src/sgml/pltcl.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/pltcl.sgml,v 2.49 2010/04/03 07:22:55 petere Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/pltcl.sgml,v 2.50 2010/05/13 18:29:12 tgl Exp $ -->
<chapter id="pltcl">
<title>PL/Tcl - Tcl Procedural Language</title>
@@ -689,8 +689,10 @@ CREATE TRIGGER trig_mytab_modcount BEFORE INSERT OR UPDATE ON mytab
It recognizes a special table, <literal>pltcl_modules</>, which
is presumed to contain modules of Tcl code. If this table
exists, the module <literal>unknown</> is fetched from the table
- and loaded into the Tcl interpreter immediately after creating
- the interpreter.
+ and loaded into the Tcl interpreter immediately before the first
+ execution of a PL/Tcl function in a database session. (This
+ happens separately for PL/Tcl and PL/TclU, if both are used,
+ because separate interpreters are used for the two languages.)
</para>
<para>
While the <literal>unknown</> module could actually contain any
@@ -717,7 +719,11 @@ CREATE TRIGGER trig_mytab_modcount BEFORE INSERT OR UPDATE ON mytab
<para>
The tables <literal>pltcl_modules</> and <literal>pltcl_modfuncs</>
must be readable by all, but it is wise to make them owned and
- writable only by the database administrator.
+ writable only by the database administrator. As a security
+ precaution, PL/Tcl will ignore <literal>pltcl_modules</> (and thus,
+ not attempt to load the <literal>unknown</> module) unless it is
+ owned by a superuser. But update privileges on this table can be
+ granted to other users, if you trust them sufficiently.
</para>
</sect1>