postgresql/contrib/citext/citext--1.1--1.2.sql
Tom Lane 7eeb1d9861 Make contrib modules' installation scripts more secure.
Hostile objects located within the installation-time search_path could
capture references in an extension's installation or upgrade script.
If the extension is being installed with superuser privileges, this
opens the door to privilege escalation.  While such hazards have existed
all along, their urgency increases with the v13 "trusted extensions"
feature, because that lets a non-superuser control the installation path
for a superuser-privileged script.  Therefore, make a number of changes
to make such situations more secure:

* Tweak the construction of the installation-time search_path to ensure
that references to objects in pg_catalog can't be subverted; and
explicitly add pg_temp to the end of the path to prevent attacks using
temporary objects.

* Disable check_function_bodies within installation/upgrade scripts,
so that any security gaps in SQL-language or PL-language function bodies
cannot create a risk of unwanted installation-time code execution.

* Adjust lookup of type input/receive functions and join estimator
functions to complain if there are multiple candidate functions.  This
prevents capture of references to functions whose signature is not the
first one checked; and it's arguably more user-friendly anyway.

* Modify various contrib upgrade scripts to ensure that catalog
modification queries are executed with secure search paths.  (These
are in-place modifications with no extension version changes, since
it is the update process itself that is at issue, not the end result.)

Extensions that depend on other extensions cannot be made fully secure
by these methods alone; therefore, revert the "trusted" marking that
commit eb67623c9 applied to earthdistance and hstore_plperl, pending
some better solution to that set of issues.

Also add documentation around these issues, to help extension authors
write secure installation scripts.

Patch by me, following an observation by Andres Freund; thanks
to Noah Misch for review.

Security: CVE-2020-14350
2020-08-10 10:44:42 -04:00

69 lines
3.3 KiB
PL/PgSQL

/* contrib/citext/citext--1.1--1.2.sql */
-- complain if script is sourced in psql, rather than via ALTER EXTENSION
\echo Use "ALTER EXTENSION citext UPDATE TO '1.2'" to load this file. \quit
ALTER FUNCTION citextin(cstring) PARALLEL SAFE;
ALTER FUNCTION citextout(citext) PARALLEL SAFE;
ALTER FUNCTION citextrecv(internal) PARALLEL SAFE;
ALTER FUNCTION citextsend(citext) PARALLEL SAFE;
ALTER FUNCTION citext(bpchar) PARALLEL SAFE;
ALTER FUNCTION citext(boolean) PARALLEL SAFE;
ALTER FUNCTION citext(inet) PARALLEL SAFE;
ALTER FUNCTION citext_eq(citext, citext) PARALLEL SAFE;
ALTER FUNCTION citext_ne(citext, citext) PARALLEL SAFE;
ALTER FUNCTION citext_lt(citext, citext) PARALLEL SAFE;
ALTER FUNCTION citext_le(citext, citext) PARALLEL SAFE;
ALTER FUNCTION citext_gt(citext, citext) PARALLEL SAFE;
ALTER FUNCTION citext_ge(citext, citext) PARALLEL SAFE;
ALTER FUNCTION citext_cmp(citext, citext) PARALLEL SAFE;
ALTER FUNCTION citext_hash(citext) PARALLEL SAFE;
ALTER FUNCTION citext_smaller(citext, citext) PARALLEL SAFE;
ALTER FUNCTION citext_larger(citext, citext) PARALLEL SAFE;
ALTER FUNCTION texticlike(citext, citext) PARALLEL SAFE;
ALTER FUNCTION texticnlike(citext, citext) PARALLEL SAFE;
ALTER FUNCTION texticregexeq(citext, citext) PARALLEL SAFE;
ALTER FUNCTION texticregexne(citext, citext) PARALLEL SAFE;
ALTER FUNCTION texticlike(citext, text) PARALLEL SAFE;
ALTER FUNCTION texticnlike(citext, text) PARALLEL SAFE;
ALTER FUNCTION texticregexeq(citext, text) PARALLEL SAFE;
ALTER FUNCTION texticregexne(citext, text) PARALLEL SAFE;
ALTER FUNCTION regexp_matches(citext, citext) PARALLEL SAFE;
ALTER FUNCTION regexp_matches(citext, citext, text) PARALLEL SAFE;
ALTER FUNCTION regexp_replace(citext, citext, text) PARALLEL SAFE;
ALTER FUNCTION regexp_replace(citext, citext, text, text) PARALLEL SAFE;
ALTER FUNCTION regexp_split_to_array(citext, citext) PARALLEL SAFE;
ALTER FUNCTION regexp_split_to_array(citext, citext, text) PARALLEL SAFE;
ALTER FUNCTION regexp_split_to_table(citext, citext) PARALLEL SAFE;
ALTER FUNCTION regexp_split_to_table(citext, citext, text) PARALLEL SAFE;
ALTER FUNCTION strpos(citext, citext) PARALLEL SAFE;
ALTER FUNCTION replace(citext, citext, citext) PARALLEL SAFE;
ALTER FUNCTION split_part(citext, citext, int) PARALLEL SAFE;
ALTER FUNCTION translate(citext, citext, text) PARALLEL SAFE;
-- We have to update aggregates the hard way for lack of ALTER support
DO LANGUAGE plpgsql
$$
DECLARE
my_schema pg_catalog.text := pg_catalog.quote_ident(pg_catalog.current_schema());
old_path pg_catalog.text := pg_catalog.current_setting('search_path');
BEGIN
-- for safety, transiently set search_path to just pg_catalog+pg_temp
PERFORM pg_catalog.set_config('search_path', 'pg_catalog, pg_temp', true);
UPDATE pg_proc SET proparallel = 's'
WHERE oid = (my_schema || '.min(' || my_schema || '.citext)')::pg_catalog.regprocedure;
UPDATE pg_proc SET proparallel = 's'
WHERE oid = (my_schema || '.max(' || my_schema || '.citext)')::pg_catalog.regprocedure;
UPDATE pg_aggregate SET aggcombinefn = (my_schema || '.citext_smaller')::regproc
WHERE aggfnoid = (my_schema || '.max(' || my_schema || '.citext)')::pg_catalog.regprocedure;
UPDATE pg_aggregate SET aggcombinefn = (my_schema || '.citext_larger')::regproc
WHERE aggfnoid = (my_schema || '.max(' || my_schema || '.citext)')::pg_catalog.regprocedure;
PERFORM pg_catalog.set_config('search_path', old_path, true);
END
$$;