mirror of
https://github.com/timescale/timescaledb.git
synced 2025-05-17 19:13:16 +08:00
c8b8516e46
TimescaleDB was vulnerable to a privilege escalation attack in the extension installation script. An attacker could precreate objects normally owned by the extension and get those objects used in the installation script since the script would only try to create them if they did not already exist. Thanks to Pedro Gallegos for reporting the problem. This patch changes the schema, table and function creation to fail and abort the installation when the object already exists instead of using the existing object. Security: CVE-2022-24128
17 lines
434 B
Bash
Executable File
17 lines
434 B
Bash
Executable File
#! /bin/bash
|
|
|
|
SCRIPT_DIR=$(dirname ${0})
|
|
SRC_DIR=$(dirname ${SCRIPT_DIR})
|
|
|
|
if grep -ir "IF NOT EXISTS" ${SRC_DIR}/sql; then
|
|
cat <<EOF
|
|
|
|
Update scripts must unconditionally add new objects and fail when the object
|
|
already exists otherwise this might enable privilege escalation attacks where
|
|
an attacker can precreate objects that get used in later parts of the scripts
|
|
instead of the objects created by timescaledb.
|
|
|
|
EOF
|
|
exit 1
|
|
fi
|