| From: | Anders Åstrand <anders(at)449(dot)se> |
|---|---|
| To: | Jet <zhangchenxi(at)halodbtech(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Potential security risk associated with function call |
| Date: | 2026-03-10 10:50:42 |
| Message-ID: | 3ee2cdef-e908-42f7-9fce-fa1b81ec43d7@449.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 3/10/26 11:24, Jet wrote:
> Hi Hackers,
>
> Recently, I notice a security risk when calling a function, it's
> strange but also interesting. E.g.
>
> `array_to_text_null` is a bultin function with 3 args. Normally, the
> function is working well. **BUT**
> if we create another version `array_to_text_null` function, say
> `harmful_array_to_string`, but with 2 args:
>
>
Yikes. This seems really dangerous.
> A simple patch provided to prevent to access unknow args memory.
>
I don't think this patch will cover all cases as the function might do
something else with the data instead of checking for NULL, especially if
it expects to be called from a function that is defined with RETURNS
NULL ON NULL INPUT on the sql side.
My gut reaction would be to limit the creation of functions with
language=internal to superusers, but that wouldn't work as it would
break CREATE EXTENSION when there are server modules involved.
Maybe all C functions that are able to be used as language=internal
needs to explicitly check nargs at the top of the function?
--
Anders Åstrand
Percona
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oleg Tselebrovskiy | 2026-03-10 11:01:47 | Re: psql's 001_basic.pl test could fail on very slow machines |
| Previous Message | Florin Irion | 2026-03-10 10:31:50 | Re: [PATCH] pg_get_domain_ddl: DDL reconstruction function for CREATE DOMAIN statement |