NotificationsYou must be signed in to change notification settings
Fork5.2k
Star19k

Commitccacaf4

committed

Fix inconsistent quoting of role names in ACLs.

getid() and putid(), which parse and deparse role names within ACLinput/output, applied isalnum() to see if a character within a rolename requires quoting. They did this even for non-ASCII characters,which is problematic because the results would depend on encoding,locale, and perhaps even platform. So it's possible that putid()could elect not to quote some string that, later in some otherenvironment, getid() will decide is not a valid identifier, causingdump/reload or similar failures.To fix this in a way that won't risk interoperability problemswith unpatched versions, make getid() treat any non-ASCII as alegitimate identifier character (hence not requiring quotes),while making putid() treat any non-ASCII as requiring quoting.We could remove the resulting excess quoting once we feel thatno unpatched servers remain in the wild, but that'll be years.A lesser problem is that getid() did the wrong thing with an inputconsisting of just two double quotes (""). That has to represent anempty string, but getid() read it as a single double quote instead.The case cannot arise in the normal course of events, since we don'tallow empty-string role names. But let's fix it while we're here.Although we've not heard field reports of problems with non-ASCIIrole names, there's clearly a hazard there, so back-patch to allsupported versions.Reported-by: Peter Eisentraut <peter@eisentraut.org>Author: Tom Lane <tgl@sss.pgh.pa.us>Discussion:https://postgr.es/m/3792884.1751492172@sss.pgh.pa.usBackpatch-through: 13

1 parent3d23f68 commitccacaf4Copy full SHA for ccacaf4

File tree

3 files changed

+53

-8

lines changed

src
- backend/utils/adt
  - acl.c
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

3 files changed

+53

-8

lines changed

`‎src/backend/utils/adt/acl.c‎`

Lines changed: 25 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -134,6 +134,22 @@ static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode);`
`134`	`134`	`staticvoidRoleMembershipCacheCallback(Datumarg,intcacheid,uint32hashvalue);`
`135`	`135`
`136`	`136`
	`137`	`+/*`
	`138`	`+ * Test whether an identifier char can be left unquoted in ACLs.`
	`139`	`+ *`
	`140`	`+ * Formerly, we used isalnum() even on non-ASCII characters, resulting in`
	`141`	`+ * unportable behavior. To ensure dump compatibility with old versions,`
	`142`	`+ * we now treat high-bit-set characters as always requiring quoting during`
	`143`	`+ * putid(), but getid() will always accept them without quotes.`
	`144`	`+ */`
	`145`	`+staticinlinebool`
	`146`	`+is_safe_acl_char(unsignedcharc,boolis_getid)`
	`147`	`+{`
	`148`	`+if (IS_HIGHBIT_SET(c))`
	`149`	`+returnis_getid;`
	`150`	`+returnisalnum(c)\|\|c=='_';`
	`151`	`+}`
	`152`	`+`
`137`	`153`	`/*`
`138`	`154`	`* getid`
`139`	`155`	`*Consumes the first alphanumeric string (identifier) found in string`
`@@ -159,21 +175,22 @@ getid(const char s, char n, Node *escontext)`
`159`	`175`
`160`	`176`	`while (isspace((unsignedchar)*s))`
`161`	`177`	`s++;`
`162`		`-/* This code had better match what putid() does, below */`
`163`	`178`	`for (;`
`164`	`179`	`*s!='\0'&&`
`165`		`- (isalnum((unsignedchar)*s)\|\|`
`166`		`-*s=='_'\|\|`
`167`		`-*s=='"'\|\|`
`168`		`-in_quotes);`
	`180`	`+ (in_quotes\|\|s=='"'\|\|is_safe_acl_char(s, true));`
`169`	`181`	`s++)`
`170`	`182`	`{`
`171`	`183`	`if (*s=='"')`
`172`	`184`	`{`
	`185`	`+if (!in_quotes)`
	`186`	`+{`
	`187`	`+in_quotes= true;`
	`188`	`+continue;`
	`189`	`+}`
`173`	`190`	`/* safe to look at next char (could be '\0' though) */`
`174`	`191`	`if (*(s+1)!='"')`
`175`	`192`	`{`
`176`		`-in_quotes=!in_quotes;`
	`193`	`+in_quotes=false;`
`177`	`194`	`continue;`
`178`	`195`	`}`
`179`	`196`	`/* it's an escaped double quote; skip the escaping char */`
`@@ -207,10 +224,10 @@ putid(char p, const char s)`
`207`	`224`	`constchar*src;`
`208`	`225`	`boolsafe= true;`
`209`	`226`
	`227`	`+/* Detect whether we need to use double quotes */`
`210`	`228`	`for (src=s;*src;src++)`
`211`	`229`	`{`
`212`		`-/* This test had better match what getid() does, above */`
`213`		`-if (!isalnum((unsignedchar)src)&&src!='_')`
	`230`	`+if (!is_safe_acl_char(*src, false))`
`214`	`231`	`{`
`215`	`232`	`safe= false;`
`216`	`233`	`break;`

`‎src/test/regress/expected/privileges.out‎`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2568,6 +2568,26 @@ SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,`
`2568`	`2568`	`SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,`
`2569`	`2569`	`'SELECT, fake_privilege', FALSE); -- error`
`2570`	`2570`	`ERROR: unrecognized privilege type: "fake_privilege"`
	`2571`	`+-- Test quoting and dequoting of user names in ACLs`
	`2572`	`+CREATE ROLE "regress_""quoted";`
	`2573`	`+SELECT makeaclitem('regress_"quoted'::regrole, 'regress_"quoted'::regrole,`
	`2574`	`+ 'SELECT', TRUE);`
	`2575`	`+ makeaclitem`
	`2576`	`+------------------------------------------`
	`2577`	`+ "regress_""quoted"=r*/"regress_""quoted"`
	`2578`	`+(1 row)`
	`2579`	`+`
	`2580`	`+SELECT '"regress_""quoted"=r*/"regress_""quoted"'::aclitem;`
	`2581`	`+ aclitem`
	`2582`	`+------------------------------------------`
	`2583`	`+ "regress_""quoted"=r*/"regress_""quoted"`
	`2584`	`+(1 row)`
	`2585`	`+`
	`2586`	`+SELECT '""=r*/""'::aclitem; -- used to be misparsed as """"`
	`2587`	`+ERROR: a name must follow the "/" sign`
	`2588`	`+LINE 1: SELECT '""=r*/""'::aclitem;`
	`2589`	`+ ^`
	`2590`	`+DROP ROLE "regress_""quoted";`
`2571`	`2591`	`-- Test non-throwing aclitem I/O`
`2572`	`2592`	`SELECT pg_input_is_valid('regress_priv_user1=r/regress_priv_user2', 'aclitem');`
`2573`	`2593`	`pg_input_is_valid`

`‎src/test/regress/sql/privileges.sql‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1544,6 +1544,14 @@ SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,`
`1544`	`1544`	`SELECT makeaclitem('regress_priv_user1'::regrole,'regress_priv_user2'::regrole,`
`1545`	`1545`	`'SELECT, fake_privilege', FALSE);-- error`
`1546`	`1546`
	`1547`	`+-- Test quoting and dequoting of user names in ACLs`
	`1548`	`+CREATE ROLE"regress_""quoted";`
	`1549`	`+SELECT makeaclitem('regress_"quoted'::regrole,'regress_"quoted'::regrole,`
	`1550`	`+'SELECT', TRUE);`
	`1551`	`+SELECT'"regress_""quoted"=r*/"regress_""quoted"'::aclitem;`
	`1552`	`+SELECT'""=r*/""'::aclitem;-- used to be misparsed as """"`
	`1553`	`+DROP ROLE"regress_""quoted";`
	`1554`	`+`
`1547`	`1555`	`-- Test non-throwing aclitem I/O`
`1548`	`1556`	`SELECT pg_input_is_valid('regress_priv_user1=r/regress_priv_user2','aclitem');`
`1549`	`1557`	`SELECT pg_input_is_valid('regress_priv_user1=r/','aclitem');`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitccacaf4

File tree

3 files changed

3 files changed

`‎src/backend/utils/adt/acl.c‎`

`‎src/test/regress/expected/privileges.out‎`

`‎src/test/regress/sql/privileges.sql‎`

0 commit comments