I just noticed that all of tsearch2's "dict init" routines are declared
like this:
CREATE FUNCTION dex_init(text)
returns internal
as 'MODULE_PATHNAME'
language 'C';
This is really unacceptable, because it breaks the type safety of the
"internal" pseudotype. I quote from datatype.sgml:
The internal pseudo-type is used to declare functions
that are meant only to be called internally by the database
system, and not by direct invocation in a SQL
query. If a function has at least one internal-type
argument then it cannot be called from SQL. To
preserve the type safety of this restriction it is important to
follow this coding rule: do not create any function that is
declared to return internal unless it has at least one
internal argument.
In a database with these functions installed, it will be trivial for
anyone to crash the backend (and perhaps do worse things) since he can
pass the result of dex_init to any function taking an internal argument
--- almost none of which are expecting a dict data structure.
Please change these at once. The best solution might be to declare
an actual "dict" datatype for these functions to return.
Another security issue is that these functions can be used to read any
file that the backend can read. I'm not sure at the moment whether a
bad guy could do anything useful with the result (are the contents of
stoplists exposed anywhere?) but it seems fairly dangerous to allow
arbitrary pathnames in the argument.
A possible short-term solution is to revoke public execute rights on
these functions, so that only superusers can call them.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
