From c2e5f4d1c16faa84a19906706481cf149769f320 Mon Sep 17 00:00:00 2001
From: Fujii Masao <fujii@postgresql.org>
Date: Thu, 9 Jul 2015 22:30:52 +0900
Subject: [PATCH] Make wal_compression PGC_SUSET rather than PGC_USERSET.

When enabling wal_compression, there is a risk to leak data similarly to
the BREACH and CRIME attacks on SSL where the compression ratio of
a full page image gives a hint of what is the existing data of this page.
This vulnerability is quite cumbersome to exploit in practice, but doable.

So this patch makes wal_compression PGC_SUSET in order to prevent
non-superusers from enabling it and exploiting the vulnerability while
DBA thinks the risk very seriously and disables it in postgresql.conf.

Back-patch to 9.5 where wal_compression was introduced.
---
 doc/src/sgml/config.sgml     | 1 +
 src/backend/utils/misc/guc.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 4b7bd8a86e6..b91d6c75d27 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -2303,6 +2303,7 @@ include_dir 'conf.d'
         <xref linkend="guc-full-page-writes"> is on or during a base backup.
         A compressed page image will be decompressed during WAL replay.
         The default value is <literal>off</>.
+        Only superusers can change this setting.
        </para>
 
        <para>
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 595a609989d..1bed5250a6c 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -995,7 +995,7 @@ static struct config_bool ConfigureNamesBool[] =
 	},
 
 	{
-		{"wal_compression", PGC_USERSET, WAL_SETTINGS,
+		{"wal_compression", PGC_SUSET, WAL_SETTINGS,
 			gettext_noop("Compresses full-page writes written in WAL file."),
 			NULL
 		},
-- 
GitLab