Unset PG_CIPHER_KEY environment variable to prevent access to it by non-priveleged users through pgperl

knizhnik · knizhnik · commit 4bed8acfe801 · 2016-11-07T18:01:02.000+03:00
diff --git a/src/backend/storage/file/cfs.c b/src/backend/storage/file/cfs.c
@@ -238,6 +238,7 @@ static void cfs_rc4_init(void)
 	if (cipher_key == NULL) { 
 		elog(ERROR, "PG_CIPHER_KEY environment variable is not set");
 	} 
+	unsetenv("PG_CIPHER_KEY"); /* make it not possible to inspect this environment variable through plperl */
     key_length = strlen(cipher_key);
 	for (i = 0; i < CFS_CIPHER_KEY_SIZE; ++i) {
         rc4_init_state[i] = (uint8)i;

Original file line number	Diff line number	Diff line change
`@@ -238,6 +238,7 @@ static void cfs_rc4_init(void)`
`238`	`238`	`if (cipher_key == NULL) {`
`239`	`239`	`elog(ERROR, "PG_CIPHER_KEY environment variable is not set");`
`240`	`240`	`}`
	`241`	`+ unsetenv("PG_CIPHER_KEY"); /* make it not possible to inspect this environment variable through plperl */`
`241`	`242`	`key_length = strlen(cipher_key);`
`242`	`243`	`for (i = 0; i < CFS_CIPHER_KEY_SIZE; ++i) {`
`243`	`244`	`rc4_init_state[i] = (uint8)i;`