Ignore attempts to \gset into specially treated variables. If an interactive psql session used \gset when querying a compromised server, the attacker could execute arbitrary code as the operating system account running psql. Using a prefix not found among specially treated variables, e.g. every lowercase string, precluded the attack. Fix by issuing a warning and setting no variable for the column in question. Users wanting the old behavior can use a prefix and then a meta-command like "\set HISTSIZE :prefix_HISTSIZE". Back-patch to 9.5 (all supported versions).
Reviewed by Robert Haas. Reported by Nick Cleaton. Security: CVE-2020-25696 Branch ------ REL_10_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/a498db87be103f93856dd515a574b2d67d3c1237 Modified Files -------------- src/bin/psql/common.c | 7 +++++++ src/bin/psql/variables.c | 26 ++++++++++++++++++++++++++ src/bin/psql/variables.h | 1 + src/test/regress/expected/psql.out | 4 ++++ src/test/regress/sql/psql.sql | 3 +++ 5 files changed, 41 insertions(+)
