Merge pull request #2496 from citusdata/limit_transmit

Only allow transmit from pgsql_job_cache directory
2018-12-06 16:25:47 +01:00 · 2018-12-06 16:25:47 +01:00 · 298613824e
parent 2967d8e65f 9cf91c438b
commit 298613824e
5 changed files with 21 additions and 1 deletions
--- a/src/backend/distributed/commands/transmit.c
+++ b/src/backend/distributed/commands/transmit.c
@ -420,6 +420,12 @@ VerifyTransmitStmt(CopyStmt *copyStatement)
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 				 (errmsg("path must be in or below the current directory"))));
 	}
+	else if (!CacheDirectoryElement(fileName))
+	{
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 (errmsg("path must be in the pgsql_job_cache directory"))));
+	}

 	if (copyStatement->filename != NULL)
 	{
--- a/src/backend/distributed/worker/worker_partition_protocol.c
+++ b/src/backend/distributed/worker/worker_partition_protocol.c
@ -643,7 +643,12 @@ CacheDirectoryElement(const char *filename)
 	appendStringInfo(directoryPath, "base/%s/", PG_JOB_CACHE_DIR);

 	directoryPathFound = strstr(filename, directoryPath->data);
-	if (directoryPathFound != NULL)
+
+	/*
+	 * If directoryPath occurs at the beginning of the filename, then the
+	 * pointers should now be equal.
+	 */
+	if (directoryPathFound == filename)
 	{
 		directoryElement = true;
 	}
--- a/src/test/regress/expected/multi_multiuser.out
+++ b/src/test/regress/expected/multi_multiuser.out
@ -109,6 +109,9 @@ PREPARE prepare_select AS SELECT count(*) FROM test;
 -- not allowed to read absolute paths, even as superuser
 COPY "/etc/passwd" TO STDOUT WITH (format transmit);
 ERROR:  absolute path not allowed
+-- not allowed to read paths outside pgsql_job_cache, even as superuser
+COPY "postgresql.conf" TO STDOUT WITH (format transmit);
+ERROR:  path must be in the pgsql_job_cache directory
 -- check full permission
 SET ROLE full_access;
 EXECUTE prepare_insert(1);
--- a/src/test/regress/expected/multi_multiuser_0.out
+++ b/src/test/regress/expected/multi_multiuser_0.out
@ -109,6 +109,9 @@ PREPARE prepare_select AS SELECT count(*) FROM test;
 -- not allowed to read absolute paths, even as superuser
 COPY "/etc/passwd" TO STDOUT WITH (format transmit);
 ERROR:  absolute path not allowed
+-- not allowed to read paths outside pgsql_job_cache, even as superuser
+COPY "postgresql.conf" TO STDOUT WITH (format transmit);
+ERROR:  path must be in the pgsql_job_cache directory
 -- check full permission
 SET ROLE full_access;
 EXECUTE prepare_insert(1);
--- a/src/test/regress/sql/multi_multiuser.sql
+++ b/src/test/regress/sql/multi_multiuser.sql
@ -87,6 +87,9 @@ PREPARE prepare_select AS SELECT count(*) FROM test;
 -- not allowed to read absolute paths, even as superuser
 COPY "/etc/passwd" TO STDOUT WITH (format transmit);

+-- not allowed to read paths outside pgsql_job_cache, even as superuser
+COPY "postgresql.conf" TO STDOUT WITH (format transmit);
+
 -- check full permission
 SET ROLE full_access;