I just noticed that all of tsearch2's "dict init" routines are declared
like this:
CREATE FUNCTION dex_init(text)returns internalas 'MODULE_PATHNAME' language 'C';
This is really unacceptable, because it breaks the type safety of the
"internal" pseudotype. I quote from datatype.sgml:
The internal pseudo-type is used to declare functions that are meant only to be called internally by the database
system, and not by direct invocation in a SQL query. If a function has at least one internal-type argument then it
cannotbe called from SQL. To preserve the type safety of this restriction it is important to follow this coding
rule:do not create any function that is declared to return internal unless it has at least one internal argument.
In a database with these functions installed, it will be trivial for
anyone to crash the backend (and perhaps do worse things) since he can
pass the result of dex_init to any function taking an internal argument
--- almost none of which are expecting a dict data structure.
Please change these at once. The best solution might be to declare
an actual "dict" datatype for these functions to return.
Another security issue is that these functions can be used to read any
file that the backend can read. I'm not sure at the moment whether a
bad guy could do anything useful with the result (are the contents of
stoplists exposed anywhere?) but it seems fairly dangerous to allow
arbitrary pathnames in the argument.
A possible short-term solution is to revoke public execute rights on
these functions, so that only superusers can call them.
regards, tom lane