1996-07-09 02:22:35 -04:00
|
|
|
/*
|
2010-09-20 16:08:53 -04:00
|
|
|
* src/test/examples/testlibpq4.c
|
2008-05-16 21:28:26 -04:00
|
|
|
*
|
|
|
|
|
*
|
1996-07-09 02:22:35 -04:00
|
|
|
* testlibpq4.c
|
2003-06-21 20:29:29 -04:00
|
|
|
* this test program shows to use LIBPQ to make multiple backend
|
1996-07-09 02:22:35 -04:00
|
|
|
* connections
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#include <stdio.h>
|
2003-06-21 20:29:29 -04:00
|
|
|
#include <stdlib.h>
|
1996-07-09 02:22:35 -04:00
|
|
|
#include "libpq-fe.h"
|
|
|
|
|
|
1997-09-25 12:35:52 -04:00
|
|
|
static void
|
1997-09-08 17:56:23 -04:00
|
|
|
exit_nicely(PGconn *conn1, PGconn *conn2)
|
1996-07-09 02:22:35 -04:00
|
|
|
{
|
1997-09-07 01:04:48 -04:00
|
|
|
if (conn1)
|
|
|
|
|
PQfinish(conn1);
|
|
|
|
|
if (conn2)
|
|
|
|
|
PQfinish(conn2);
|
|
|
|
|
exit(1);
|
1996-07-09 02:22:35 -04:00
|
|
|
}
|
|
|
|
|
|
1997-09-25 12:35:52 -04:00
|
|
|
static void
|
Document security implications of search_path and the public schema.
The ability to create like-named objects in different schemas opens up
the potential for users to change the behavior of other users' queries,
maliciously or accidentally. When you connect to a PostgreSQL server,
you should remove from your search_path any schema for which a user
other than yourself or superusers holds the CREATE privilege. If you do
not, other users holding CREATE privilege can redefine the behavior of
your commands, causing them to perform arbitrary SQL statements under
your identity. "SET search_path = ..." and "SELECT
pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
can use either as the first command of a session. As special
exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb
createdb createlang createuser dropdb droplang dropuser ecpg (not
programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
vacuumlo. Not included are core client programs that run user-specified
SQL commands, namely psql and pgbench. PostgreSQL encourages non-core
client applications to do likewise.
Document this in the context of libpq connections, psql connections,
dblink connections, ECPG connections, extension packaging, and schema
usage patterns. The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal
defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
Either one is sufficient to prevent attack. After a REVOKE, consider
auditing the public schema for objects named like pg_catalog objects.
Authors of SECURITY DEFINER functions use some of the same defenses, and
the CREATE FUNCTION reference page already covered them thoroughly.
This is a good opportunity to audit SECURITY DEFINER functions for
robust security practice.
Back-patch to 9.3 (all supported versions).
Reviewed by Michael Paquier and Jonathan S. Katz. Reported by Arseniy
Sharoglazov.
Security: CVE-2018-1058
2018-02-26 10:39:44 -05:00
|
|
|
check_prepare_conn(PGconn *conn, const char *dbName)
|
1996-07-09 02:22:35 -04:00
|
|
|
{
|
Document security implications of search_path and the public schema.
The ability to create like-named objects in different schemas opens up
the potential for users to change the behavior of other users' queries,
maliciously or accidentally. When you connect to a PostgreSQL server,
you should remove from your search_path any schema for which a user
other than yourself or superusers holds the CREATE privilege. If you do
not, other users holding CREATE privilege can redefine the behavior of
your commands, causing them to perform arbitrary SQL statements under
your identity. "SET search_path = ..." and "SELECT
pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
can use either as the first command of a session. As special
exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb
createdb createlang createuser dropdb droplang dropuser ecpg (not
programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
vacuumlo. Not included are core client programs that run user-specified
SQL commands, namely psql and pgbench. PostgreSQL encourages non-core
client applications to do likewise.
Document this in the context of libpq connections, psql connections,
dblink connections, ECPG connections, extension packaging, and schema
usage patterns. The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal
defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
Either one is sufficient to prevent attack. After a REVOKE, consider
auditing the public schema for objects named like pg_catalog objects.
Authors of SECURITY DEFINER functions use some of the same defenses, and
the CREATE FUNCTION reference page already covered them thoroughly.
This is a good opportunity to audit SECURITY DEFINER functions for
robust security practice.
Back-patch to 9.3 (all supported versions).
Reviewed by Michael Paquier and Jonathan S. Katz. Reported by Arseniy
Sharoglazov.
Security: CVE-2018-1058
2018-02-26 10:39:44 -05:00
|
|
|
PGresult *res;
|
|
|
|
|
|
1997-09-07 01:04:48 -04:00
|
|
|
/* check to see that the backend connection was successfully made */
|
2004-10-01 13:34:19 -04:00
|
|
|
if (PQstatus(conn) != CONNECTION_OK)
|
1997-09-07 01:04:48 -04:00
|
|
|
{
|
2004-10-01 13:34:19 -04:00
|
|
|
fprintf(stderr, "Connection to database \"%s\" failed: %s",
|
|
|
|
|
dbName, PQerrorMessage(conn));
|
1997-09-07 01:04:48 -04:00
|
|
|
exit(1);
|
|
|
|
|
}
|
Document security implications of search_path and the public schema.
The ability to create like-named objects in different schemas opens up
the potential for users to change the behavior of other users' queries,
maliciously or accidentally. When you connect to a PostgreSQL server,
you should remove from your search_path any schema for which a user
other than yourself or superusers holds the CREATE privilege. If you do
not, other users holding CREATE privilege can redefine the behavior of
your commands, causing them to perform arbitrary SQL statements under
your identity. "SET search_path = ..." and "SELECT
pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
can use either as the first command of a session. As special
exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb
createdb createlang createuser dropdb droplang dropuser ecpg (not
programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
vacuumlo. Not included are core client programs that run user-specified
SQL commands, namely psql and pgbench. PostgreSQL encourages non-core
client applications to do likewise.
Document this in the context of libpq connections, psql connections,
dblink connections, ECPG connections, extension packaging, and schema
usage patterns. The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal
defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
Either one is sufficient to prevent attack. After a REVOKE, consider
auditing the public schema for objects named like pg_catalog objects.
Authors of SECURITY DEFINER functions use some of the same defenses, and
the CREATE FUNCTION reference page already covered them thoroughly.
This is a good opportunity to audit SECURITY DEFINER functions for
robust security practice.
Back-patch to 9.3 (all supported versions).
Reviewed by Michael Paquier and Jonathan S. Katz. Reported by Arseniy
Sharoglazov.
Security: CVE-2018-1058
2018-02-26 10:39:44 -05:00
|
|
|
|
|
|
|
|
/* Set always-secure search path, so malicous users can't take control. */
|
|
|
|
|
res = PQexec(conn,
|
|
|
|
|
"SELECT pg_catalog.set_config('search_path', '', false)");
|
2018-07-01 08:06:40 -04:00
|
|
|
if (PQresultStatus(res) != PGRES_TUPLES_OK)
|
Document security implications of search_path and the public schema.
The ability to create like-named objects in different schemas opens up
the potential for users to change the behavior of other users' queries,
maliciously or accidentally. When you connect to a PostgreSQL server,
you should remove from your search_path any schema for which a user
other than yourself or superusers holds the CREATE privilege. If you do
not, other users holding CREATE privilege can redefine the behavior of
your commands, causing them to perform arbitrary SQL statements under
your identity. "SET search_path = ..." and "SELECT
pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
can use either as the first command of a session. As special
exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb
createdb createlang createuser dropdb droplang dropuser ecpg (not
programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
vacuumlo. Not included are core client programs that run user-specified
SQL commands, namely psql and pgbench. PostgreSQL encourages non-core
client applications to do likewise.
Document this in the context of libpq connections, psql connections,
dblink connections, ECPG connections, extension packaging, and schema
usage patterns. The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal
defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
Either one is sufficient to prevent attack. After a REVOKE, consider
auditing the public schema for objects named like pg_catalog objects.
Authors of SECURITY DEFINER functions use some of the same defenses, and
the CREATE FUNCTION reference page already covered them thoroughly.
This is a good opportunity to audit SECURITY DEFINER functions for
robust security practice.
Back-patch to 9.3 (all supported versions).
Reviewed by Michael Paquier and Jonathan S. Katz. Reported by Arseniy
Sharoglazov.
Security: CVE-2018-1058
2018-02-26 10:39:44 -05:00
|
|
|
{
|
|
|
|
|
fprintf(stderr, "SET failed: %s", PQerrorMessage(conn));
|
|
|
|
|
PQclear(res);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
PQclear(res);
|
1996-07-09 02:22:35 -04:00
|
|
|
}
|
|
|
|
|
|
1997-09-25 12:35:52 -04:00
|
|
|
int
|
1998-02-25 23:46:47 -05:00
|
|
|
main(int argc, char **argv)
|
1996-07-09 02:22:35 -04:00
|
|
|
{
|
1997-09-07 22:41:22 -04:00
|
|
|
char *pghost,
|
|
|
|
|
*pgport,
|
|
|
|
|
*pgoptions,
|
|
|
|
|
*pgtty;
|
|
|
|
|
char *dbName1,
|
1998-02-25 23:46:47 -05:00
|
|
|
*dbName2;
|
1997-09-07 22:41:22 -04:00
|
|
|
char *tblName;
|
|
|
|
|
int nFields;
|
|
|
|
|
int i,
|
|
|
|
|
j;
|
1997-09-07 01:04:48 -04:00
|
|
|
|
1997-09-07 22:41:22 -04:00
|
|
|
PGconn *conn1,
|
1998-02-25 23:46:47 -05:00
|
|
|
*conn2;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* PGresult *res1, *res2;
|
1997-09-25 12:35:52 -04:00
|
|
|
*/
|
|
|
|
|
PGresult *res1;
|
1997-09-07 01:04:48 -04:00
|
|
|
|
|
|
|
|
if (argc != 4)
|
|
|
|
|
{
|
|
|
|
|
fprintf(stderr, "usage: %s tableName dbName1 dbName2\n", argv[0]);
|
|
|
|
|
fprintf(stderr, " compares two tables in two databases\n");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
tblName = argv[1];
|
|
|
|
|
dbName1 = argv[2];
|
|
|
|
|
dbName2 = argv[3];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* begin, by setting the parameters for a backend connection if the
|
|
|
|
|
* parameters are null, then the system will try to use reasonable
|
2005-10-14 22:49:52 -04:00
|
|
|
* defaults by looking up environment variables or, failing that, using
|
|
|
|
|
* hardwired constants
|
1997-09-07 01:04:48 -04:00
|
|
|
*/
|
2011-03-12 09:38:56 -05:00
|
|
|
pghost = NULL; /* host name of the backend */
|
|
|
|
|
pgport = NULL; /* port of the backend */
|
1997-09-07 01:04:48 -04:00
|
|
|
pgoptions = NULL; /* special options to start up the backend
|
|
|
|
|
* server */
|
2011-03-12 09:38:56 -05:00
|
|
|
pgtty = NULL; /* debugging tty for the backend */
|
1997-09-07 01:04:48 -04:00
|
|
|
|
|
|
|
|
/* make a connection to the database */
|
|
|
|
|
conn1 = PQsetdb(pghost, pgport, pgoptions, pgtty, dbName1);
|
Document security implications of search_path and the public schema.
The ability to create like-named objects in different schemas opens up
the potential for users to change the behavior of other users' queries,
maliciously or accidentally. When you connect to a PostgreSQL server,
you should remove from your search_path any schema for which a user
other than yourself or superusers holds the CREATE privilege. If you do
not, other users holding CREATE privilege can redefine the behavior of
your commands, causing them to perform arbitrary SQL statements under
your identity. "SET search_path = ..." and "SELECT
pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
can use either as the first command of a session. As special
exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb
createdb createlang createuser dropdb droplang dropuser ecpg (not
programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
vacuumlo. Not included are core client programs that run user-specified
SQL commands, namely psql and pgbench. PostgreSQL encourages non-core
client applications to do likewise.
Document this in the context of libpq connections, psql connections,
dblink connections, ECPG connections, extension packaging, and schema
usage patterns. The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal
defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
Either one is sufficient to prevent attack. After a REVOKE, consider
auditing the public schema for objects named like pg_catalog objects.
Authors of SECURITY DEFINER functions use some of the same defenses, and
the CREATE FUNCTION reference page already covered them thoroughly.
This is a good opportunity to audit SECURITY DEFINER functions for
robust security practice.
Back-patch to 9.3 (all supported versions).
Reviewed by Michael Paquier and Jonathan S. Katz. Reported by Arseniy
Sharoglazov.
Security: CVE-2018-1058
2018-02-26 10:39:44 -05:00
|
|
|
check_prepare_conn(conn1, dbName1);
|
1997-09-07 01:04:48 -04:00
|
|
|
|
|
|
|
|
conn2 = PQsetdb(pghost, pgport, pgoptions, pgtty, dbName2);
|
Document security implications of search_path and the public schema.
The ability to create like-named objects in different schemas opens up
the potential for users to change the behavior of other users' queries,
maliciously or accidentally. When you connect to a PostgreSQL server,
you should remove from your search_path any schema for which a user
other than yourself or superusers holds the CREATE privilege. If you do
not, other users holding CREATE privilege can redefine the behavior of
your commands, causing them to perform arbitrary SQL statements under
your identity. "SET search_path = ..." and "SELECT
pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
can use either as the first command of a session. As special
exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb
createdb createlang createuser dropdb droplang dropuser ecpg (not
programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
vacuumlo. Not included are core client programs that run user-specified
SQL commands, namely psql and pgbench. PostgreSQL encourages non-core
client applications to do likewise.
Document this in the context of libpq connections, psql connections,
dblink connections, ECPG connections, extension packaging, and schema
usage patterns. The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal
defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
Either one is sufficient to prevent attack. After a REVOKE, consider
auditing the public schema for objects named like pg_catalog objects.
Authors of SECURITY DEFINER functions use some of the same defenses, and
the CREATE FUNCTION reference page already covered them thoroughly.
This is a good opportunity to audit SECURITY DEFINER functions for
robust security practice.
Back-patch to 9.3 (all supported versions).
Reviewed by Michael Paquier and Jonathan S. Katz. Reported by Arseniy
Sharoglazov.
Security: CVE-2018-1058
2018-02-26 10:39:44 -05:00
|
|
|
check_prepare_conn(conn2, dbName2);
|
1997-09-07 01:04:48 -04:00
|
|
|
|
|
|
|
|
/* start a transaction block */
|
|
|
|
|
res1 = PQexec(conn1, "BEGIN");
|
|
|
|
|
if (PQresultStatus(res1) != PGRES_COMMAND_OK)
|
|
|
|
|
{
|
|
|
|
|
fprintf(stderr, "BEGIN command failed\n");
|
|
|
|
|
PQclear(res1);
|
|
|
|
|
exit_nicely(conn1, conn2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2005-10-14 22:49:52 -04:00
|
|
|
* make sure to PQclear() a PGresult whenever it is no longer needed to
|
|
|
|
|
* avoid memory leaks
|
1997-09-07 01:04:48 -04:00
|
|
|
*/
|
|
|
|
|
PQclear(res1);
|
|
|
|
|
|
|
|
|
|
/*
|
2005-10-14 22:49:52 -04:00
|
|
|
* fetch instances from the pg_database, the system catalog of databases
|
1997-09-07 01:04:48 -04:00
|
|
|
*/
|
1997-09-25 12:35:52 -04:00
|
|
|
res1 = PQexec(conn1, "DECLARE myportal CURSOR FOR select * from pg_database");
|
|
|
|
|
if (PQresultStatus(res1) != PGRES_COMMAND_OK)
|
1997-09-07 01:04:48 -04:00
|
|
|
{
|
|
|
|
|
fprintf(stderr, "DECLARE CURSOR command failed\n");
|
1997-09-25 12:35:52 -04:00
|
|
|
PQclear(res1);
|
2004-09-22 01:12:45 -04:00
|
|
|
exit_nicely(conn1, conn2);
|
1997-09-07 01:04:48 -04:00
|
|
|
}
|
1997-09-25 12:35:52 -04:00
|
|
|
PQclear(res1);
|
1997-09-07 01:04:48 -04:00
|
|
|
|
1997-09-25 12:35:52 -04:00
|
|
|
res1 = PQexec(conn1, "FETCH ALL in myportal");
|
|
|
|
|
if (PQresultStatus(res1) != PGRES_TUPLES_OK)
|
1997-09-07 01:04:48 -04:00
|
|
|
{
|
|
|
|
|
fprintf(stderr, "FETCH ALL command didn't return tuples properly\n");
|
1997-09-25 12:35:52 -04:00
|
|
|
PQclear(res1);
|
2004-09-22 01:12:45 -04:00
|
|
|
exit_nicely(conn1, conn2);
|
1997-09-07 01:04:48 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* first, print out the attribute names */
|
1997-09-25 12:35:52 -04:00
|
|
|
nFields = PQnfields(res1);
|
1997-09-07 01:04:48 -04:00
|
|
|
for (i = 0; i < nFields; i++)
|
1997-09-25 12:35:52 -04:00
|
|
|
printf("%-15s", PQfname(res1, i));
|
1997-09-07 01:04:48 -04:00
|
|
|
printf("\n\n");
|
|
|
|
|
|
|
|
|
|
/* next, print out the instances */
|
1997-09-25 12:35:52 -04:00
|
|
|
for (i = 0; i < PQntuples(res1); i++)
|
1997-09-07 01:04:48 -04:00
|
|
|
{
|
|
|
|
|
for (j = 0; j < nFields; j++)
|
1997-09-25 12:35:52 -04:00
|
|
|
printf("%-15s", PQgetvalue(res1, i, j));
|
1997-09-07 01:04:48 -04:00
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
|
1997-09-25 12:35:52 -04:00
|
|
|
PQclear(res1);
|
1997-09-07 01:04:48 -04:00
|
|
|
|
|
|
|
|
/* close the portal */
|
1997-09-25 12:35:52 -04:00
|
|
|
res1 = PQexec(conn1, "CLOSE myportal");
|
|
|
|
|
PQclear(res1);
|
1997-09-07 01:04:48 -04:00
|
|
|
|
|
|
|
|
/* end the transaction */
|
1997-09-25 12:35:52 -04:00
|
|
|
res1 = PQexec(conn1, "END");
|
|
|
|
|
PQclear(res1);
|
1997-09-07 01:04:48 -04:00
|
|
|
|
2004-09-22 01:12:45 -04:00
|
|
|
/* close the connections to the database and cleanup */
|
1997-09-25 12:35:52 -04:00
|
|
|
PQfinish(conn1);
|
2004-09-22 01:12:45 -04:00
|
|
|
PQfinish(conn2);
|
1997-09-07 01:04:48 -04:00
|
|
|
|
|
|
|
|
/* fclose(debug); */
|
2004-09-22 01:12:45 -04:00
|
|
|
return 0;
|
1996-07-09 02:22:35 -04:00
|
|
|
}
|
