Reject substituting extension schemas or owners matching ["$'\]. Substituting such values in extension scripts facilitated SQL injection when @extowner@, @extschema@, or @extschema:...@ appeared inside a quoting construct (dollar quoting, '', or ""). No bundled extension was vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite was an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. By blocking this attack in the core server, there's no need to modify individual extensions. Back-patch to v11 (all supported versions).
Reported by Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg. Security: CVE-2023-39417 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/de494ec14f6bd7f2676623a5934723a6c8ba51c2 Modified Files -------------- src/backend/commands/extension.c | 21 +++++++++++++++ src/test/modules/test_extensions/Makefile | 2 ++ .../test_extensions/expected/test_extensions.out | 30 ++++++++++++++-------- .../test_extensions/sql/test_extensions.sql | 17 +++++++++--- .../test_extensions/test_ext_extschema--1.0.sql | 5 ++++ .../test_extensions/test_ext_extschema.control | 3 +++ 6 files changed, 63 insertions(+), 15 deletions(-)