src/pl/plperl/plc_trusted.pl

   1
   2 # Copyright (c) 2021-2024, PostgreSQL Global Development Group
   3
   4 #  src/pl/plperl/plc_trusted.pl
   5
   6 #<<< protect next line from perltidy so perlcritic annotation works
   7 package PostgreSQL::InServer::safe; ## no critic (RequireFilenameMatchesPackage)
   8 #>>>
   9
  10 # Load widely useful pragmas into plperl to make them available.
  11 #
  12 # SECURITY RISKS:
  13 #
  14 # Since these modules are free to compile unsafe opcodes they must
  15 # be trusted to now allow any code containing unsafe opcodes to be abused.
  16 # That's much harder than it sounds.
  17 #
  18 # Be aware that perl provides a wide variety of ways to subvert
  19 # pre-compiled code. For some examples, see this presentation:
  20 # http://www.slideshare.net/cdman83/barely-legal-xxx-perl-presentation
  21 #
  22 # If in ANY doubt about a module, or ANY of the modules down the chain of
  23 # dependencies it loads, then DO NOT add it to this list.
  24 #
  25 # To check if any of these modules use "unsafe" opcodes you can compile
  26 # plperl with the PLPERL_ENABLE_OPMASK_EARLY macro defined. See plperl.c
  27
  28 require strict;
  29 require Carp;
  30 require Carp::Heavy;
  31 require warnings;
  32 require feature if $] >= 5.010000;
  33
  34 #<<< protect next line from perltidy so perlcritic annotation works
  35 package PostgreSQL::InServer::WarnEnv; ## no critic (RequireFilenameMatchesPackage)
  36 #>>>
  37
  38 use strict;
  39 use warnings;
  40 use Tie::Hash;
  41 our @ISA = qw(Tie::StdHash);
  42
  43 sub STORE  { warn "attempted alteration of \$ENV{$_[1]}"; }
  44 sub DELETE { warn "attempted deletion of \$ENV{$_[1]}"; }
  45 sub CLEAR  { warn "attempted clearance of ENV hash"; }
  46
  47 # Remove magic property of %ENV. Changes to this will now not be reflected in
  48 # the process environment.
  49 *main::ENV = {%ENV};
  50
  51 # Block %ENV changes from trusted PL/Perl, and warn. We changed %ENV to just a
  52 # normal hash, yet the application may be expecting the usual Perl %ENV
  53 # magic. Blocking and warning avoids silent application breakage. The user can
  54 # untie or otherwise disable this, e.g. if the lost mutation is unimportant
  55 # and modifying the code to stop that mutation would be onerous.
  56 tie %main::ENV, 'PostgreSQL::InServer::WarnEnv', %ENV or die $!;