Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9408028

Browse files
committed
Fix security checks for selectivity estimation functions with RLS.
In commite2d4ef8, security checks were added to preventuser-supplied operators from running over data from pg_statisticunless the user has table or column privileges on the table, or theoperator is leakproof. For a table with RLS, however, checking fortable or column privileges is insufficient, since that does notguarantee that the user has permission to view all of the column'sdata.Fix this by also checking for securityQuals on the RTE, and insistingthat the operator be leakproof if there are any. Thus theleakproofness check will only be skipped if there are no securityQualsand the user has table or column privileges on the table -- i.e., onlyif we know that the user has access to all the data in the column.Back-patch to 9.5 where RLS was added.Dean Rasheed, reviewed by Jonathan Katz and Stephen Frost.Security:CVE-2019-10130
1 parent443ca97 commit9408028

File tree

3 files changed

+56
-6
lines changed

3 files changed

+56
-6
lines changed

‎src/backend/utils/adt/selfuncs.c

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4786,9 +4786,13 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
47864786
* For simplicity, we insist on the whole
47874787
* table being selectable, rather than trying
47884788
* to identify which column(s) the index
4789-
* depends on.
4789+
* depends on. Also require all rows to be
4790+
* selectable --- there must be no
4791+
* securityQuals from security barrier views
4792+
* or RLS policies.
47904793
*/
47914794
vardata->acl_ok=
4795+
rte->securityQuals==NIL&&
47924796
(pg_class_aclcheck(rte->relid,GetUserId(),
47934797
ACL_SELECT)==ACLCHECK_OK);
47944798
}
@@ -4852,12 +4856,17 @@ examine_simple_variable(PlannerInfo *root, Var *var,
48524856

48534857
if (HeapTupleIsValid(vardata->statsTuple))
48544858
{
4855-
/* check if user has permission to read this column */
4859+
/*
4860+
* Check if user has permission to read this column. We require
4861+
* all rows to be accessible, so there must be no securityQuals
4862+
* from security barrier views or RLS policies.
4863+
*/
48564864
vardata->acl_ok=
4857-
(pg_class_aclcheck(rte->relid,GetUserId(),
4858-
ACL_SELECT)==ACLCHECK_OK)||
4859-
(pg_attribute_aclcheck(rte->relid,var->varattno,GetUserId(),
4860-
ACL_SELECT)==ACLCHECK_OK);
4865+
rte->securityQuals==NIL&&
4866+
((pg_class_aclcheck(rte->relid,GetUserId(),
4867+
ACL_SELECT)==ACLCHECK_OK)||
4868+
(pg_attribute_aclcheck(rte->relid,var->varattno,GetUserId(),
4869+
ACL_SELECT)==ACLCHECK_OK));
48614870
}
48624871
else
48634872
{

‎src/test/regress/expected/rowsecurity.out

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3938,6 +3938,27 @@ RESET SESSION AUTHORIZATION;
39383938
DROP VIEW rls_view;
39393939
DROP TABLE rls_tbl;
39403940
DROP TABLE ref_tbl;
3941+
-- Leaky operator test
3942+
CREATE TABLE rls_tbl (a int);
3943+
INSERT INTO rls_tbl SELECT x/10 FROM generate_series(1, 100) x;
3944+
ANALYZE rls_tbl;
3945+
ALTER TABLE rls_tbl ENABLE ROW LEVEL SECURITY;
3946+
GRANT SELECT ON rls_tbl TO regress_rls_alice;
3947+
SET SESSION AUTHORIZATION regress_rls_alice;
3948+
CREATE FUNCTION op_leak(int, int) RETURNS bool
3949+
AS 'BEGIN RAISE NOTICE ''op_leak => %, %'', $1, $2; RETURN $1 < $2; END'
3950+
LANGUAGE plpgsql;
3951+
CREATE OPERATOR <<< (procedure = op_leak, leftarg = int, rightarg = int,
3952+
restrict = scalarltsel);
3953+
SELECT * FROM rls_tbl WHERE a <<< 1000;
3954+
a
3955+
---
3956+
(0 rows)
3957+
3958+
DROP OPERATOR <<< (int, int);
3959+
DROP FUNCTION op_leak(int, int);
3960+
RESET SESSION AUTHORIZATION;
3961+
DROP TABLE rls_tbl;
39413962
--
39423963
-- Clean up objects
39433964
--

‎src/test/regress/sql/rowsecurity.sql

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1793,6 +1793,26 @@ DROP VIEW rls_view;
17931793
DROPTABLE rls_tbl;
17941794
DROPTABLE ref_tbl;
17951795

1796+
-- Leaky operator test
1797+
CREATETABLErls_tbl (aint);
1798+
INSERT INTO rls_tblSELECT x/10FROM generate_series(1,100) x;
1799+
ANALYZE rls_tbl;
1800+
1801+
ALTERTABLE rls_tbl ENABLE ROW LEVEL SECURITY;
1802+
GRANTSELECTON rls_tbl TO regress_rls_alice;
1803+
1804+
SET SESSION AUTHORIZATION regress_rls_alice;
1805+
CREATEFUNCTIONop_leak(int,int) RETURNS bool
1806+
AS'BEGIN RAISE NOTICE''op_leak => %, %'', $1, $2; RETURN $1 < $2; END'
1807+
LANGUAGE plpgsql;
1808+
CREATE OPERATOR<<< (procedure= op_leak, leftarg=int, rightarg=int,
1809+
restrict= scalarltsel);
1810+
SELECT*FROM rls_tblWHERE a<<<1000;
1811+
DROPOPERATOR<<< (int,int);
1812+
DROPFUNCTION op_leak(int,int);
1813+
RESET SESSION AUTHORIZATION;
1814+
DROPTABLE rls_tbl;
1815+
17961816
--
17971817
-- Clean up objects
17981818
--

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp