NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit9993fa9

committed

Require the schema qualification in pg_temp.type_name(arg).

Commitaa27977 introduced thisrestriction for pg_temp.function_name(arg); do likewise for typescreated in temporary schemas. Programs that this breaks should add"pg_temp." schema qualification or switch to arg::type_name syntax.Back-patch to 9.4 (all supported versions).Reviewed by Tom Lane. Reported by Tom Lane.Security:CVE-2019-10208

1 parent106c663 commit9993fa9Copy full SHA for 9993fa9

File tree

9 files changed

+83

-5

lines changed

doc/src/sgml
- config.sgml
src
- backend
  - catalog
    - namespace.c
  - parser
    - parse_func.c
    - parse_type.c
  - utils/adt
    - ruleutils.c
- include
  - catalog
    - namespace.h
  - parser
    - parse_type.h
- test/regress
  - expected
    - temp.out
  - sql
    - temp.sql

9 files changed

+83

-5

lines changed

`‎doc/src/sgml/config.sgml`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -7236,6 +7236,10 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;`
`7236`	`7236`	`be searched <emphasis>before</emphasis> searching any of the path items.`
`7237`	`7237`	`</para>`
`7238`	`7238`
	`7239`	`+ <!-- To further split hairs, funcname('foo') does not use the temporary`
	`7240`	`+ schema, even when it considers typname='funcname'. This paragraph`
	`7241`	`+ refers to function names in a loose sense, "pg_proc.proname or`
	`7242`	`+ func_name grammar production". -->`
`7239`	`7243`	`<para>`
`7240`	`7244`	`Likewise, the current session's temporary-table schema,`
`7241`	`7245`	`<literal>pg_temp_<replaceable>nnn</replaceable></literal>, is always searched if it`

`‎src/backend/catalog/namespace.c`

Lines changed: 14 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -757,13 +757,23 @@ RelationIsVisible(Oid relid)`
`757`	`757`
`758`	`758`	`/*`
`759`	`759`	`* TypenameGetTypid`
	`760`	`+ *Wrapper for binary compatibility.`
	`761`	`+ */`
	`762`	`+Oid`
	`763`	`+TypenameGetTypid(constchar*typname)`
	`764`	`+{`
	`765`	`+returnTypenameGetTypidExtended(typname, true);`
	`766`	`+}`
	`767`	`+`
	`768`	`+/*`
	`769`	`+ * TypenameGetTypidExtended`
`760`	`770`	`*Try to resolve an unqualified datatype name.`
`761`	`771`	`*Returns OID if type found in search path, else InvalidOid.`
`762`	`772`	`*`
`763`	`773`	`* This is essentially the same as RelnameGetRelid.`
`764`	`774`	`*/`
`765`	`775`	`Oid`
`766`		`-TypenameGetTypid(constchar*typname)`
	`776`	`+TypenameGetTypidExtended(constchar*typname,booltemp_ok)`
`767`	`777`	`{`
`768`	`778`	`Oidtypid;`
`769`	`779`	`ListCell*l;`
`@@ -774,6 +784,9 @@ TypenameGetTypid(const char *typname)`
`774`	`784`	`{`
`775`	`785`	`OidnamespaceId=lfirst_oid(l);`
`776`	`786`
	`787`	`+if (!temp_ok&&namespaceId==myTempNamespace)`
	`788`	`+continue;/* do not look in temp namespace */`
	`789`	`+`
`777`	`790`	`typid=GetSysCacheOid2(TYPENAMENSP,Anum_pg_type_oid,`
`778`	`791`	`PointerGetDatum(typname),`
`779`	`792`	`ObjectIdGetDatum(namespaceId));`

`‎src/backend/parser/parse_func.c`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1887,7 +1887,12 @@ FuncNameAsType(List *funcname)`
`1887`	`1887`	`Oidresult;`
`1888`	`1888`	`Typetyptup;`
`1889`	`1889`
`1890`		`-typtup=LookupTypeName(NULL,makeTypeNameFromNameList(funcname),NULL, false);`
	`1890`	`+/*`
	`1891`	`+ * temp_ok=false protects the <refsect1 id="sql-createfunction-security">`
	`1892`	`+ * contract for writing SECURITY DEFINER functions safely.`
	`1893`	`+ */`
	`1894`	`+typtup=LookupTypeNameExtended(NULL,makeTypeNameFromNameList(funcname),`
	`1895`	`+NULL, false, false);`
`1891`	`1896`	`if (typtup==NULL)`
`1892`	`1897`	`returnInvalidOid;`
`1893`	`1898`

`‎src/backend/parser/parse_type.c`

Lines changed: 21 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,18 @@ static int32 typenameTypeMod(ParseState pstate, const TypeName typeName,`
`33`	`33`
`34`	`34`	`/*`
`35`	`35`	`* LookupTypeName`
	`36`	`+ *Wrapper for typical case.`
	`37`	`+ */`
	`38`	`+Type`
	`39`	`+LookupTypeName(ParseStatepstate,constTypeNametypeName,`
	`40`	`+int32*typmod_p,boolmissing_ok)`
	`41`	`+{`
	`42`	`+returnLookupTypeNameExtended(pstate,`
	`43`	`+typeName,typmod_p, true,missing_ok);`
	`44`	`+}`
	`45`	`+`
	`46`	`+/*`
	`47`	`+ * LookupTypeNameExtended`
`36`	`48`	`*Given a TypeName object, lookup the pg_type syscache entry of the type.`
`37`	`49`	`*Returns NULL if no such type can be found. If the type is found,`
`38`	`50`	`*the typmod value represented in the TypeName struct is computed and`
`@@ -51,11 +63,17 @@ static int32 typenameTypeMod(ParseState pstate, const TypeName typeName,`
`51`	`63`	`* found but is a shell, and there is typmod decoration, an error will be`
`52`	`64`	`* thrown --- this is intentional.`
`53`	`65`	`*`
	`66`	`+ * If temp_ok is false, ignore types in the temporary namespace. Pass false`
	`67`	`+ * when the caller will decide, using goodness of fit criteria, whether the`
	`68`	`+ * typeName is actually a type or something else. If typeName always denotes`
	`69`	`+ * a type (or denotes nothing), pass true.`
	`70`	`+ *`
`54`	`71`	`* pstate is only used for error location info, and may be NULL.`
`55`	`72`	`*/`
`56`	`73`	`Type`
`57`		`-LookupTypeName(ParseStatepstate,constTypeNametypeName,`
`58`		`-int32*typmod_p,boolmissing_ok)`
	`74`	`+LookupTypeNameExtended(ParseState*pstate,`
	`75`	`+constTypeNametypeName,int32typmod_p,`
	`76`	`+booltemp_ok,boolmissing_ok)`
`59`	`77`	`{`
`60`	`78`	`Oidtypoid;`
`61`	`79`	`HeapTupletup;`
`@@ -172,7 +190,7 @@ LookupTypeName(ParseState pstate, const TypeName typeName,`
`172`	`190`	`else`
`173`	`191`	`{`
`174`	`192`	`/* Unqualified type name, so search the search path */`
`175`		`-typoid=TypenameGetTypid(typname);`
	`193`	`+typoid=TypenameGetTypidExtended(typname,temp_ok);`
`176`	`194`	`}`
`177`	`195`
`178`	`196`	`/* If an array reference, return the array type instead */`

`‎src/backend/utils/adt/ruleutils.c`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -9477,6 +9477,14 @@ get_coercion_expr(Node arg, deparse_context context,`
`9477`	`9477`	`if (!PRETTY_PAREN(context))`
`9478`	`9478`	`appendStringInfoChar(buf,')');`
`9479`	`9479`	`}`
	`9480`	`+`
	`9481`	`+/*`
	`9482`	`+ * Never emit resulttype(arg) functional notation. A pg_proc entry could`
	`9483`	`+ * take precedence, and a resulttype in pg_temp would require schema`
	`9484`	`+ * qualification that format_type_with_typemod() would usually omit. We've`
	`9485`	`+ * standardized on arg::resulttype, but CAST(arg AS resulttype) notation`
	`9486`	`+ * would work fine.`
	`9487`	`+ */`
`9480`	`9488`	`appendStringInfo(buf,"::%s",`
`9481`	`9489`	`format_type_with_typemod(resulttype,resulttypmod));`
`9482`	`9490`	`}`

`‎src/include/catalog/namespace.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@ extern OidRelnameGetRelid(const char *relname);`
`77`	`77`	`externboolRelationIsVisible(Oidrelid);`
`78`	`78`
`79`	`79`	`externOidTypenameGetTypid(constchar*typname);`
	`80`	`+externOidTypenameGetTypidExtended(constchar*typname,booltemp_ok);`
`80`	`81`	`externboolTypeIsVisible(Oidtypid);`
`81`	`82`
`82`	`83`	`externFuncCandidateListFuncnameGetCandidates(List*names,`

`‎src/include/parser/parse_type.h`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,9 @@ typedef HeapTuple Type;`
`21`	`21`
`22`	`22`	`externTypeLookupTypeName(ParseStatepstate,constTypeNametypeName,`
`23`	`23`	`int32*typmod_p,boolmissing_ok);`
	`24`	`+externTypeLookupTypeNameExtended(ParseState*pstate,`
	`25`	`+constTypeNametypeName,int32typmod_p,`
	`26`	`+booltemp_ok,boolmissing_ok);`
`24`	`27`	`externOidLookupTypeNameOid(ParseStatepstate,constTypeNametypeName,`
`25`	`28`	`boolmissing_ok);`
`26`	`29`	`externTypetypenameType(ParseStatepstate,constTypeNametypeName,`

`‎src/test/regress/expected/temp.out`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -199,6 +199,21 @@ select pg_temp.whoami();`
`199`	`199`	`(1 row)`
`200`	`200`
`201`	`201`	`drop table public.whereami;`
	`202`	`+-- types in temp schema`
	`203`	`+set search_path = pg_temp, public;`
	`204`	`+create domain pg_temp.nonempty as text check (value <> '');`
	`205`	`+-- function-syntax invocation of types matches rules for functions`
	`206`	`+select nonempty('');`
	`207`	`+ERROR: function nonempty(unknown) does not exist`
	`208`	`+LINE 1: select nonempty('');`
	`209`	`+ ^`
	`210`	`+HINT: No function matches the given name and argument types. You might need to add explicit type casts.`
	`211`	`+select pg_temp.nonempty('');`
	`212`	`+ERROR: value for domain nonempty violates check constraint "nonempty_check"`
	`213`	`+-- other syntax matches rules for tables`
	`214`	`+select ''::nonempty;`
	`215`	`+ERROR: value for domain nonempty violates check constraint "nonempty_check"`
	`216`	`+reset search_path;`
`202`	`217`	`-- For partitioned temp tables, ON COMMIT actions ignore storage-less`
`203`	`218`	`-- partitioned tables.`
`204`	`219`	`begin;`

`‎src/test/regress/sql/temp.sql`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,17 @@ select pg_temp.whoami();`
`152`	`152`
`153`	`153`	`droptablepublic.whereami;`
`154`	`154`
	`155`	`+-- types in temp schema`
	`156`	`+set search_path= pg_temp, public;`
	`157`	`+createdomainpg_temp.nonemptyastextcheck (value<>'');`
	`158`	`+-- function-syntax invocation of types matches rules for functions`
	`159`	`+select nonempty('');`
	`160`	`+selectpg_temp.nonempty('');`
	`161`	`+-- other syntax matches rules for tables`
	`162`	`+select''::nonempty;`
	`163`	`+`
	`164`	`+reset search_path;`
	`165`	`+`
`155`	`166`	`-- For partitioned temp tables, ON COMMIT actions ignore storage-less`
`156`	`167`	`-- partitioned tables.`
`157`	`168`	`begin;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9993fa9

File tree

9 files changed

9 files changed

`‎doc/src/sgml/config.sgml`

`‎src/backend/catalog/namespace.c`

`‎src/backend/parser/parse_func.c`

`‎src/backend/parser/parse_type.c`

`‎src/backend/utils/adt/ruleutils.c`

`‎src/include/catalog/namespace.h`

`‎src/include/parser/parse_type.h`

`‎src/test/regress/expected/temp.out`

`‎src/test/regress/sql/temp.sql`

0 commit comments