Participants
PG Bug reporting form
PG Bug reporting form
David G. Johnston
David G. Johnston
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1PG Bug reporting formPG Bug reporting form
Aug 17, 2021
#2David G. JohnstonDavid G. Johnstonto PG Bug reporting form (#1)
Aug 17, 2021
#3Tom LaneTom Laneto David G. Johnston (#2)
Aug 17, 2021

Potential vuln in example for "F.25.1.1. digest()"

Started by PG Bug reporting formover 4 years ago3 messagesdocs
Jump to latest
#1PG Bug reporting form
PG Bug reporting form
noreply@postgresql.org

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/13/pgcrypto.html
Description:

Hi,
in "F.25.1.1. digest()" you suggest:

CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$
SELECT encode(digest($1, 'sha1'), 'hex')
$$ LANGUAGE SQL STRICT IMMUTABLE;

While this is a great example, it may expose a database app to
vulnerabilities if the attacker succeeds in overriding the function
sha1(...) in the app's user context (schema). This may or may not require
administrative privileges.
Explicitly putting it into the "postgres" schema and calling it using
"postgres.sha1(...)" could mitigate the risk in such a way that
administrative privileges are required.

Do you have an even better solution to secure it?

:-) Beat

#2David G. Johnston
David G. Johnston
david.g.johnston@gmail.com
In reply to: PG Bug reporting form (#1)
Re: Potential vuln in example for "F.25.1.1. digest()"

On Tuesday, August 17, 2021, PG Doc comments form <noreply@postgresql.org>
wrote:

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/13/pgcrypto.html
Description:

Hi,
in "F.25.1.1. digest()" you suggest:

CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$
SELECT encode(digest($1, 'sha1'), 'hex')
$$ LANGUAGE SQL STRICT IMMUTABLE;

While this is a great example, it may expose a database app to
vulnerabilities if the attacker succeeds in overriding the function
sha1(...) in the app's user context (schema)

You should read this:

https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path

David J.

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: David G. Johnston (#2)
Re: Potential vuln in example for "F.25.1.1. digest()"

"David G. Johnston" <david.g.johnston@gmail.com> writes:

On Tuesday, August 17, 2021, PG Doc comments form <noreply@postgresql.org>
wrote:

in "F.25.1.1. digest()" you suggest:

CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$
SELECT encode(digest($1, 'sha1'), 'hex')
$$ LANGUAGE SQL STRICT IMMUTABLE;

While this is a great example, it may expose a database app to
vulnerabilities if the attacker succeeds in overriding the function
sha1(...) in the app's user context (schema)

You should read this:
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path

Yeah. I can't get terribly excited about trying to make this one
example unconditionally-secure; there are dozens if not hundreds
of similar cases in our docs. Trying to make them all safe
against insecure search paths would mostly result in unreadable
examples.

regards, tom lane

← Back to Topics