Reject substituting extension schemas or owners matching ["$'\].
Noah Misch <noah@leadboat.com>
Reject substituting extension schemas or owners matching ["$'\]. Substituting such values in extension scripts facilitated SQL injection when @extowner@, @extschema@, or @extschema:...@ appeared inside a quoting construct (dollar quoting, '', or ""). No bundled extension was vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite was an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. By blocking this attack in the core server, there's no need to modify individual extensions. Back-patch to v11 (all supported versions). Reported by Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg. Security: CVE-2023-39417
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/commands/extension.c | modified | +16 −0 |
| src/test/modules/test_extensions/expected/test_extensions.out | modified | +19 −11 |
| src/test/modules/test_extensions/Makefile | modified | +4 −2 |
| src/test/modules/test_extensions/sql/test_extensions.sql | modified | +13 −4 |
| src/test/modules/test_extensions/test_ext_extschema--1.0.sql | added | +5 −0 |
| src/test/modules/test_extensions/test_ext_extschema.control | added | +3 −0 |