NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit3590680

committed

Fix incorrect permissions on pg_subscription.

The documented intent is for all columns except subconninfo to bepublicly readable. However, this has been overlooked twice.subsynccommit has never been readable since it was introduced,nor has the oid column (which is important for joining).Given the lack of previous complaints, it's not clear that it'sworth doing anything about this in the back branches. But there'sstill time to fix it inexpensively for v14.Per report from Israel Barth (via Euler Taveira).Patch by Euler Taveira, possibly-vain comment updates by me.Discussion:https://postgr.es/m/b8f7c17c-0041-46b6-acfe-2d1f5a985ab4@www.fastmail.com

1 parent187682c commit3590680Copy full SHA for 3590680

File tree

3 files changed

-4

lines changed

src
- backend/catalog
  - system_views.sql
- include/catalog
  - catversion.h
  - pg_subscription.h

3 files changed

-4

lines changed

`‎src/backend/catalog/system_views.sql`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1252,7 +1252,8 @@ CREATE VIEW pg_replication_origin_status AS`
`1252`	`1252`
`1253`	`1253`	`REVOKE ALLON pg_replication_origin_statusFROM public;`
`1254`	`1254`
`1255`		`--- All columns of pg_subscription except subconninfo are readable.`
	`1255`	`+-- All columns of pg_subscription except subconninfo arepubliclyreadable.`
`1256`	`1256`	`REVOKE ALLON pg_subscriptionFROM public;`
`1257`		`-GRANTSELECT (subdbid, subname, subowner, subenabled, subbinary, substream, subslotname, subpublications)`
	`1257`	`+GRANTSELECT (oid, subdbid, subname, subowner, subenabled, subbinary,`
	`1258`	`+ substream, subslotname, subsynccommit, subpublications)`
`1258`	`1259`	`ON pg_subscription TO public;`

`‎src/include/catalog/catversion.h`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@`
`53`	`53`	`*/`
`54`	`54`
`55`	`55`	`/yyyymmddN /`
`56`		`-#defineCATALOG_VERSION_NO202105272`
	`56`	`+#defineCATALOG_VERSION_NO202106031`
`57`	`57`
`58`	`58`	`#endif`

`‎src/include/catalog/pg_subscription.h`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,10 @@`
`34`	`34`	`* them to be able to start the workers, so we have to put them in a shared,`
`35`	`35`	`* nailed catalog.`
`36`	`36`	`*`
`37`		`- * NOTE: When adding a column, also update system_views.sql.`
	`37`	`+ * CAUTION: There is a GRANT in system_views.sql to grant public select`
	`38`	`+ * access on all columns except subconninfo. When you add a new column`
	`39`	`+ * here, be sure to update that (or, if the new column is not to be publicly`
	`40`	`+ * readable, update associated comments and catalogs.sgml instead).`
`38`	`41`	`*/`
`39`	`42`	`CATALOG(pg_subscription,6100,SubscriptionRelationId)BKI_SHARED_RELATIONBKI_ROWTYPE_OID(6101,SubscriptionRelation_Rowtype_Id)BKI_SCHEMA_MACRO`
`40`	`43`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3590680

File tree

3 files changed

3 files changed

`‎src/backend/catalog/system_views.sql`

`‎src/include/catalog/catversion.h`

`‎src/include/catalog/pg_subscription.h`

0 commit comments