Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit5a9167c

Browse files
committed
Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security context
The internal commands in REFRESH MATERIALIZED VIEW CONCURRENTLY arecorrectly executed in SECURITY_RESTRICTED_OPERATION mode, except forcreating the temporary "diff" table, because you cannot createtemporary tables in SRO mode. But creating the temporary "diff" tableis a pretty complex CTAS command that selects from another temporarytable created earlier in the command. If you can cajole that CTAScommand to execute code defined by the table owner, the table ownercan run code with the privileges of the user running the REFRESHcommand.The proof-of-concept reported to the security team relied on CREATERULE to convert the internally-built temp table to a view. That's notpossible since commitb23cd18, and I was not able to find adifferent way to turn the SELECT on the temp table into codeexecution, so as far as I know this is only exploitable in v15 andbelow. That's a fiddly assumption though, so apply this patch tomaster and all stable versions.Thanks to Pedro Gallegos for the report.Security:CVE-2023-5869Reviewed-by: Noah Misch
1 parentdafbfed commit5a9167c

File tree

1 file changed

+26
-7
lines changed

1 file changed

+26
-7
lines changed

‎src/backend/commands/matview.c

Lines changed: 26 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -656,13 +656,35 @@ refresh_by_match_merge(Oid matviewOid, Oid tempOid, Oid relowner,
656656
SPI_getvalue(SPI_tuptable->vals[0],SPI_tuptable->tupdesc,1))));
657657
}
658658

659+
/*
660+
* Create the temporary "diff" table.
661+
*
662+
* Temporarily switch out of the SECURITY_RESTRICTED_OPERATION context,
663+
* because you cannot create temp tables in SRO context. For extra
664+
* paranoia, add the composite type column only after switching back to
665+
* SRO context.
666+
*/
659667
SetUserIdAndSecContext(relowner,
660668
save_sec_context |SECURITY_LOCAL_USERID_CHANGE);
669+
resetStringInfo(&querybuf);
670+
appendStringInfo(&querybuf,
671+
"CREATE TEMP TABLE %s (tid pg_catalog.tid)",
672+
diffname);
673+
if (SPI_exec(querybuf.data,0)!=SPI_OK_UTILITY)
674+
elog(ERROR,"SPI_exec failed: %s",querybuf.data);
675+
SetUserIdAndSecContext(relowner,
676+
save_sec_context |SECURITY_RESTRICTED_OPERATION);
677+
resetStringInfo(&querybuf);
678+
appendStringInfo(&querybuf,
679+
"ALTER TABLE %s ADD COLUMN newdata %s",
680+
diffname,tempname);
681+
if (SPI_exec(querybuf.data,0)!=SPI_OK_UTILITY)
682+
elog(ERROR,"SPI_exec failed: %s",querybuf.data);
661683

662-
/* Start building the query forcreating the diff table. */
684+
/* Start building the query forpopulating the diff table. */
663685
resetStringInfo(&querybuf);
664686
appendStringInfo(&querybuf,
665-
"CREATE TEMP TABLE %s AS "
687+
"INSERT INTO %s "
666688
"SELECT mv.ctid AS tid, newdata.*::%s AS newdata "
667689
"FROM %s mv FULL JOIN %s newdata ON (",
668690
diffname,tempname,matviewname,tempname);
@@ -788,13 +810,10 @@ refresh_by_match_merge(Oid matviewOid, Oid tempOid, Oid relowner,
788810
"WHERE newdata.* IS NULL OR mv.* IS NULL "
789811
"ORDER BY tid");
790812

791-
/*Create the temporary "diff" table. */
792-
if (SPI_exec(querybuf.data,0)!=SPI_OK_UTILITY)
813+
/*Populate the temporary "diff" table. */
814+
if (SPI_exec(querybuf.data,0)!=SPI_OK_INSERT)
793815
elog(ERROR,"SPI_exec failed: %s",querybuf.data);
794816

795-
SetUserIdAndSecContext(relowner,
796-
save_sec_context |SECURITY_RESTRICTED_OPERATION);
797-
798817
/*
799818
* We have no further use for data from the "full-data" temp table, but we
800819
* must keep it around because its type is referenced from the diff table.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp