Обсуждение: Potential vuln in example for "F.25.1.1. digest()"
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/13/pgcrypto.html Description: Hi, in "F.25.1.1. digest()" you suggest: CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$ SELECT encode(digest($1, 'sha1'), 'hex') $$ LANGUAGE SQL STRICT IMMUTABLE; While this is a great example, it may expose a database app to vulnerabilities if the attacker succeeds in overriding the function sha1(...) in the app's user context (schema). This may or may not require administrative privileges. Explicitly putting it into the "postgres" schema and calling it using "postgres.sha1(...)" could mitigate the risk in such a way that administrative privileges are required. Do you have an even better solution to secure it? :-) Beat
On Tuesday, August 17, 2021, PG Doc comments form <noreply@postgresql.org> wrote:
The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/13/pgcrypto.html
Description:
Hi,
in "F.25.1.1. digest()" you suggest:
CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$
SELECT encode(digest($1, 'sha1'), 'hex')
$$ LANGUAGE SQL STRICT IMMUTABLE;
While this is a great example, it may expose a database app to
vulnerabilities if the attacker succeeds in overriding the function
sha1(...) in the app's user context (schema)
You should read this:
David J.
"David G. Johnston" <david.g.johnston@gmail.com> writes: > On Tuesday, August 17, 2021, PG Doc comments form <noreply@postgresql.org> > wrote: >> in "F.25.1.1. digest()" you suggest: >> >> CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$ >> SELECT encode(digest($1, 'sha1'), 'hex') >> $$ LANGUAGE SQL STRICT IMMUTABLE; >> >> While this is a great example, it may expose a database app to >> vulnerabilities if the attacker succeeds in overriding the function >> sha1(...) in the app's user context (schema) > You should read this: > https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path Yeah. I can't get terribly excited about trying to make this one example unconditionally-secure; there are dozens if not hundreds of similar cases in our docs. Trying to make them all safe against insecure search paths would mostly result in unreadable examples. regards, tom lane