NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit677a494

committed

In REFRESH MATERIALIZED VIEW, set user ID before running user code.

It intended to, but did not, achieve this. Adopt the new standard ofsetting user ID just after locking the relation. Back-patch to v10 (allsupported versions).Reviewed by Simon Riggs. Reported by Alvaro Herrera.Security:CVE-2022-1552

1 parentab49ce7 commit677a494Copy full SHA for 677a494

File tree

3 files changed

+44

-19

lines changed

src
- backend/commands
  - matview.c
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

3 files changed

+44

-19

lines changed

`‎src/backend/commands/matview.c`

Lines changed: 11 additions & 19 deletions

Original file line number	Diff line number	Diff line change
`@@ -167,6 +167,17 @@ ExecRefreshMatView(RefreshMatViewStmt stmt, const char queryString,`
`167`	`167`	`lockmode,0,`
`168`	`168`	`RangeVarCallbackOwnsTable,NULL);`
`169`	`169`	`matviewRel=table_open(matviewOid,NoLock);`
	`170`	`+relowner=matviewRel->rd_rel->relowner;`
	`171`	`+`
	`172`	`+/*`
	`173`	`+ * Switch to the owner's userid, so that any functions are run as that`
	`174`	`+ * user. Also lock down security-restricted operations and arrange to`
	`175`	`+ * make GUC variable changes local to this command.`
	`176`	`+ */`
	`177`	`+GetUserIdAndSecContext(&save_userid,&save_sec_context);`
	`178`	`+SetUserIdAndSecContext(relowner,`
	`179`	`+save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
	`180`	`+save_nestlevel=NewGUCNestLevel();`
`170`	`181`
`171`	`182`	`/* Make sure it is a materialized view. */`
`172`	`183`	`if (matviewRel->rd_rel->relkind!=RELKIND_MATVIEW)`
`@@ -269,19 +280,6 @@ ExecRefreshMatView(RefreshMatViewStmt stmt, const char queryString,`
`269`	`280`	`*/`
`270`	`281`	`SetMatViewPopulatedState(matviewRel, !stmt->skipData);`
`271`	`282`
`272`		`-relowner=matviewRel->rd_rel->relowner;`
`273`		`-`
`274`		`-/*`
`275`		`- * Switch to the owner's userid, so that any functions are run as that`
`276`		`- * user. Also arrange to make GUC variable changes local to this command.`
`277`		`- * Don't lock it down too tight to create a temporary table just yet. We`
`278`		`- * will switch modes when we are about to execute user code.`
`279`		`- */`
`280`		`-GetUserIdAndSecContext(&save_userid,&save_sec_context);`
`281`		`-SetUserIdAndSecContext(relowner,`
`282`		`-save_sec_context \|SECURITY_LOCAL_USERID_CHANGE);`
`283`		`-save_nestlevel=NewGUCNestLevel();`
`284`		`-`
`285`	`283`	`/* Concurrent refresh builds new data in temp tablespace, and does diff. */`
`286`	`284`	`if (concurrent)`
`287`	`285`	`{`
`@@ -304,12 +302,6 @@ ExecRefreshMatView(RefreshMatViewStmt stmt, const char queryString,`
`304`	`302`	`LockRelationOid(OIDNewHeap,AccessExclusiveLock);`
`305`	`303`	`dest=CreateTransientRelDestReceiver(OIDNewHeap);`
`306`	`304`
`307`		`-/*`
`308`		`- * Now lock down security-restricted operations.`
`309`		`- */`
`310`		`-SetUserIdAndSecContext(relowner,`
`311`		`-save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`312`		`-`
`313`	`305`	`/* Generate the data, if wanted. */`
`314`	`306`	`if (!stmt->skipData)`
`315`	`307`	`processed=refresh_matview_datafill(dest,dataQuery,queryString);`

`‎src/test/regress/expected/privileges.out`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1564,6 +1564,22 @@ CONTEXT: SQL function "unwanted_grant" statement 1`
`1564`	`1564`	`SQL statement "SELECT unwanted_grant()"`
`1565`	`1565`	`PL/pgSQL function sro_trojan() line 1 at PERFORM`
`1566`	`1566`	`SQL function "mv_action" statement 1`
	`1567`	`+-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()`
	`1568`	`+SET SESSION AUTHORIZATION regress_sro_user;`
	`1569`	`+CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int`
	`1570`	`+IMMUTABLE LANGUAGE plpgsql AS $$`
	`1571`	`+BEGIN`
	`1572`	`+PERFORM unwanted_grant();`
	`1573`	`+RAISE WARNING 'owned';`
	`1574`	`+RETURN 1;`
	`1575`	`+EXCEPTION WHEN OTHERS THEN`
	`1576`	`+RETURN 2;`
	`1577`	`+END$$;`
	`1578`	`+CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c;`
	`1579`	`+CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0;`
	`1580`	`+\c -`
	`1581`	`+REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv;`
	`1582`	`+REFRESH MATERIALIZED VIEW sro_index_mv;`
`1567`	`1583`	`DROP OWNED BY regress_sro_user;`
`1568`	`1584`	`DROP ROLE regress_sro_user;`
`1569`	`1585`	`-- Admin options`

`‎src/test/regress/sql/privileges.sql`

Lines changed: 17 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -979,6 +979,23 @@ REFRESH MATERIALIZED VIEW sro_mv;`
`979`	`979`	`REFRESH MATERIALIZED VIEW sro_mv;`
`980`	`980`	`BEGIN;SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv;COMMIT;`
`981`	`981`
	`982`	`+-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()`
	`983`	`+SET SESSION AUTHORIZATION regress_sro_user;`
	`984`	`+CREATEFUNCTIONunwanted_grant_nofail(int) RETURNSint`
	`985`	`+IMMUTABLE LANGUAGE plpgsqlAS $$`
	`986`	`+BEGIN`
	`987`	`+PERFORM unwanted_grant();`
	`988`	`+RAISE WARNING'owned';`
	`989`	`+RETURN1;`
	`990`	`+EXCEPTION WHEN OTHERS THEN`
	`991`	`+RETURN2;`
	`992`	`+END$$;`
	`993`	`+CREATE MATERIALIZED VIEW sro_index_mvASSELECT1AS c;`
	`994`	`+CREATEUNIQUE INDEXON sro_index_mv (c)WHERE unwanted_grant_nofail(1)>0;`
	`995`	`+\c-`
	`996`	`+REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv;`
	`997`	`+REFRESH MATERIALIZED VIEW sro_index_mv;`
	`998`	`+`
`982`	`999`	`DROP OWNED BY regress_sro_user;`
`983`	`1000`	`DROP ROLE regress_sro_user;`
`984`	`1001`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit677a494

File tree

3 files changed

3 files changed

`‎src/backend/commands/matview.c`

`‎src/test/regress/expected/privileges.out`

`‎src/test/regress/sql/privileges.sql`

0 commit comments