Skip to content

Commit c5ef8ce

Browse files
tglsfdctglsfdc
committed
Be more paranoid about null return values from libpq status functions.
PQhost() can return NULL in non-error situations, namely when a Unix-socket connection has been selected by default. That behavior is a tad debatable perhaps, but for the moment we should make sure that psql copes with it. Unfortunately, do_connect() failed to: it could pass a NULL pointer to strcmp(), resulting in crashes on most platforms. This was reported as a security issue by ChenQin of Topsec Security Team, but the consensus of the security list is that it's just a garden-variety bug with no security implications. For paranoia's sake, I made the keep_password test not trust PQuser or PQport either, even though I believe those will never return NULL given a valid PGconn. Back-patch to all supported branches.
1 parent 4616619 commit c5ef8ce

File tree

1 file changed

+12
-9
lines changed

1 file changed

+12
-9
lines changed

src/bin/psql/command.c

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1750,14 +1750,17 @@ do_connect(char *dbname, char *user, char *host, char *port)
17501750
/*
17511751
* Any change in the parameters read above makes us discard the password.
17521752
* We also discard it if we're to use a conninfo rather than the
1753-
* positional syntax.
1753+
* positional syntax. Note that currently, PQhost() can return NULL for a
1754+
* default Unix-socket connection, so we have to allow NULL for host.
17541755
*/
1755-
keep_password =
1756-
(o_conn &&
1757-
(strcmp(user, PQuser(o_conn)) == 0) &&
1758-
(!host || strcmp(host, PQhost(o_conn)) == 0) &&
1759-
(strcmp(port, PQport(o_conn)) == 0) &&
1760-
!has_connection_string);
1756+
if (has_connection_string)
1757+
keep_password = false;
1758+
else
1759+
keep_password =
1760+
(user && PQuser(o_conn) && strcmp(user, PQuser(o_conn)) == 0) &&
1761+
((host && PQhost(o_conn) && strcmp(host, PQhost(o_conn)) == 0) ||
1762+
(host == NULL && PQhost(o_conn) == NULL)) &&
1763+
(port && PQport(o_conn) && strcmp(port, PQport(o_conn)) == 0);
17611764

17621765
/*
17631766
* Grab dbname from old connection unless supplied by caller. No password
@@ -1769,8 +1772,8 @@ do_connect(char *dbname, char *user, char *host, char *port)
17691772
/*
17701773
* If the user asked to be prompted for a password, ask for one now. If
17711774
* not, use the password from the old connection, provided the username
1772-
* has not changed. Otherwise, try to connect without a password first,
1773-
* and then ask for a password if needed.
1775+
* etc have not changed. Otherwise, try to connect without a password
1776+
* first, and then ask for a password if needed.
17741777
*
17751778
* XXX: this behavior leads to spurious connection attempts recorded in
17761779
* the postmaster's log. But libpq offers no API that would let us obtain

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy