NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit8d98819

committed

Require update permission for the large object written by lo_put().

lo_put() surely should require UPDATE permission, the same as lowrite(),but it failed to check for that, as reported by Chapman Flack. Oversightin commitc50b7c0; backpatch to 9.4 where that was introduced.Tom Lane and Michael PaquierSecurity:CVE-2017-7548

1 parente568e1e commit8d98819Copy full SHA for 8d98819

File tree

3 files changed

+26

-0

lines changed

src
- backend/libpq
  - be-fsstubs.c
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

3 files changed

+26

-0

lines changed

`‎src/backend/libpq/be-fsstubs.c`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -896,6 +896,18 @@ be_lo_put(PG_FUNCTION_ARGS)`
`896`	`896`	`CreateFSContext();`
`897`	`897`
`898`	`898`	`loDesc=inv_open(loOid,INV_WRITE,fscxt);`
	`899`	`+`
	`900`	`+/* Permission check */`
	`901`	`+if (!lo_compat_privileges&&`
	`902`	`+pg_largeobject_aclcheck_snapshot(loDesc->id,`
	`903`	`+GetUserId(),`
	`904`	`+ACL_UPDATE,`
	`905`	`+loDesc->snapshot)!=ACLCHECK_OK)`
	`906`	`+ereport(ERROR,`
	`907`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`908`	`+errmsg("permission denied for large object %u",`
	`909`	`+loDesc->id)));`
	`910`	`+`
`899`	`911`	`inv_seek(loDesc,offset,SEEK_SET);`
`900`	`912`	`written=inv_write(loDesc,VARDATA_ANY(str),VARSIZE_ANY_EXHDR(str));`
`901`	`913`	`Assert(written==VARSIZE_ANY_EXHDR(str));`

`‎src/test/regress/expected/privileges.out`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1238,6 +1238,14 @@ SELECT lo_create(2002);`
`1238`	`1238`	`2002`
`1239`	`1239`	`(1 row)`
`1240`	`1240`
	`1241`	`+SELECT loread(lo_open(1001, x'20000'::int), 32);-- allowed, for now`
	`1242`	`+ loread`
	`1243`	`+--------`
	`1244`	`+ \x`
	`1245`	`+(1 row)`
	`1246`	`+`
	`1247`	`+SELECT lowrite(lo_open(1001, x'40000'::int), 'abcd');-- fail, wrong mode`
	`1248`	`+ERROR: large object descriptor 0 was not opened for writing`
`1241`	`1249`	`SELECT loread(lo_open(1001, x'40000'::int), 32);`
`1242`	`1250`	`loread`
`1243`	`1251`	`--------`
`@@ -1333,6 +1341,8 @@ SELECT lowrite(lo_open(1002, x'20000'::int), 'abcd');-- to be denied`
`1333`	`1341`	`ERROR: permission denied for large object 1002`
`1334`	`1342`	`SELECT lo_truncate(lo_open(1002, x'20000'::int), 10);-- to be denied`
`1335`	`1343`	`ERROR: permission denied for large object 1002`
	`1344`	`+SELECT lo_put(1002, 1, 'abcd');-- to be denied`
	`1345`	`+ERROR: permission denied for large object 1002`
`1336`	`1346`	`SELECT lo_unlink(1002);-- to be denied`
`1337`	`1347`	`ERROR: must be owner of large object 1002`
`1338`	`1348`	`SELECT lo_export(1001, '/dev/null');-- to be denied`

`‎src/test/regress/sql/privileges.sql`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -779,6 +779,9 @@ SET SESSION AUTHORIZATION regress_user2;`
`779`	`779`	`SELECT lo_create(2001);`
`780`	`780`	`SELECT lo_create(2002);`
`781`	`781`
	`782`	`+SELECT loread(lo_open(1001, x'20000'::int),32);-- allowed, for now`
	`783`	`+SELECT lowrite(lo_open(1001, x'40000'::int),'abcd');-- fail, wrong mode`
	`784`	`+`
`782`	`785`	`SELECT loread(lo_open(1001, x'40000'::int),32);`
`783`	`786`	`SELECT loread(lo_open(1002, x'40000'::int),32);-- to be denied`
`784`	`787`	`SELECT loread(lo_open(1003, x'40000'::int),32);`
`@@ -818,6 +821,7 @@ SET SESSION AUTHORIZATION regress_user4;`
`818`	`821`	`SELECT loread(lo_open(1002, x'40000'::int),32);-- to be denied`
`819`	`822`	`SELECT lowrite(lo_open(1002, x'20000'::int),'abcd');-- to be denied`
`820`	`823`	`SELECT lo_truncate(lo_open(1002, x'20000'::int),10);-- to be denied`
	`824`	`+SELECT lo_put(1002,1,'abcd');-- to be denied`
`821`	`825`	`SELECT lo_unlink(1002);-- to be denied`
`822`	`826`	`SELECT lo_export(1001,'/dev/null');-- to be denied`
`823`	`827`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8d98819

File tree

3 files changed

3 files changed

`‎src/backend/libpq/be-fsstubs.c`

`‎src/test/regress/expected/privileges.out`

`‎src/test/regress/sql/privileges.sql`

0 commit comments