Title: [1020] trunk/tests/test_dbapi20.py: Test that internal query uses qualified operator
- Revision
- 1020
- Author
- cito
- Date
- 2019-10-03 07:38:50 -0400 (Thu, 03 Oct 2019)
Log Message
Test that internal query uses qualified operator
Modified Paths
Diff
Modified: trunk/tests/test_dbapi20.py (1019 => 1020)
--- trunk/tests/test_dbapi20.py 2019-09-27 16:23:48 UTC (rev 1019)
+++ trunk/tests/test_dbapi20.py 2019-10-03 11:38:50 UTC (rev 1020)
@@ -1355,6 +1355,42 @@
objs[:] = [obj for obj in objs if repr(obj) != '(<NULL>,)']
self.assertEqual(len(objs), 0)
+ def test_cve_2018_1058(self):
+ # internal queries should use qualified table and operator names,
+ # see https://nvd.nist.gov/vuln/detail/CVE-2018-1058
+ con = self._connect()
+ cur = con.cursor()
+ execute = cur.execute
+ try:
+ execute("SET TIMEZONE TO 'UTC'")
+ execute("SHOW TIMEZONE")
+ self.assertEqual(cur.fetchone()[0], 'UTC')
+ execute("""
+ CREATE OR REPLACE FUNCTION public.bad_eq(oid, integer)
+ RETURNS boolean AS $$
+ BEGIN
+ SET TIMEZONE TO 'CET';
+ RETURN oideq($1, $2::oid);
+ END
+ $$ LANGUAGE plpgsql
+ """)
+ execute("""
+ CREATE OPERATOR public.= (
+ PROCEDURE = public.bad_eq,
+ LEFTARG = oid, RIGHTARG = integer
+ );
+ """)
+ # the following select changes the time zone as a side effect if
+ # internal query uses unqualified = operator as it did earlier
+ execute("SELECT 1")
+ execute("SHOW TIMEZONE") # make sure time zone has not changed
+ self.assertEqual(cur.fetchone()[0], 'UTC')
+ finally:
+ execute("DROP OPERATOR IF EXISTS public.= (oid, integer)")
+ execute("DROP FUNCTION IF EXISTS public.bad_eq(oid, integer)")
+ cur.close()
+ con.close()
+
if __name__ == '__main__':
unittest.main()
_______________________________________________
PyGreSQL mailing list
[email protected]
https://mail.vex.net/mailman/listinfo/pygresql
