NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitb5b1240

committed

Match pg_user_mappings limits to information_schema.user_mapping_options.

Both views replace the umoptions field with NULL when the user does notmeet qualifications to see it. They used different qualifications, andpg_user_mappings documented qualifications did not match its implementedqualifications. Make its documentation and implementation match thoseof user_mapping_options. One might argue for stronger qualifications,but these have long, documented tenure. pg_user_mappings has alwaysexhibited this problem, so back-patch to 9.2 (all supported versions).Michael Paquier and Feike Steenbergen. Reviewed by Jeff Janes.Reported by Andrew Wheelwright.Security:CVE-2017-7486

1 parent3eab811 commitb5b1240Copy full SHA for b5b1240

File tree

5 files changed

+82

-8

lines changed

doc/src/sgml
- catalogs.sgml
src
- backend/catalog
  - system_views.sql
- test/regress
  - expected
    - foreign_data.out
    - rules.out
  - sql
    - foreign_data.sql

5 files changed

+82

-8

lines changed

`‎doc/src/sgml/catalogs.sgml`

Lines changed: 5 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -9212,8 +9212,11 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx`
`9212`	`9212`	`<entry></entry>`
`9213`	`9213`	`<entry>`
`9214`	`9214`	`User mapping specific options, as <quote>keyword=value</>`
`9215`		`- strings, if the current user is the owner of the foreign`
`9216`		`- server, else null`
	`9215`	`+ strings. This column will show as null unless the current user`
	`9216`	`+ is the user being mapped, or the mapping is for`
	`9217`	`+ <literal>PUBLIC</literal> and the current user is the server`
	`9218`	`+ owner, or the current user is a superuser. The intent is`
	`9219`	`+ to protect password information stored as user mapping option.`
`9217`	`9220`	`</entry>`
`9218`	`9221`	`</row>`
`9219`	`9222`	`</tbody>`

`‎src/backend/catalog/system_views.sql`

Lines changed: 5 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -696,11 +696,11 @@ CREATE VIEW pg_user_mappings AS`
`696`	`696`	`ELSE`
`697`	`697`	`A.rolname`
`698`	`698`	`ENDAS usename,`
`699`		`- CASE WHENpg_has_role(S.srvowner,'USAGE')OR has_server_privilege(S.oid,'USAGE') THEN`
`700`		`-U.umoptions`
`701`		`-ELSE`
`702`		`-NULL`
`703`		`- ENDAS umoptions`
	`699`	`+ CASE WHEN(U.umuser<>0ANDA.rolname=current_user)`
	`700`	`+OR (U.umuser=0AND pg_has_role(S.srvowner,'USAGE'))`
	`701`	`+OR (SELECT rolsuperFROM pg_authidWHERE rolname=current_user)`
	`702`	`+ THENU.umoptions`
	`703`	`+ ELSENULLENDAS umoptions`
`704`	`704`	`FROM pg_user_mapping U`
`705`	`705`	`LEFT JOIN pg_authid AON (A.oid=U.umuser)JOIN`
`706`	`706`	`pg_foreign_server SON (U.umserver=S.oid);`

`‎src/test/regress/expected/foreign_data.out`

Lines changed: 54 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1157,7 +1157,61 @@ WARNING: no privileges were granted for "s9"`
`1157`	`1157`	`CREATE USER MAPPING FOR current_user SERVER s9;`
`1158`	`1158`	`DROP SERVER s9 CASCADE; -- ERROR`
`1159`	`1159`	`ERROR: must be owner of foreign server s9`
	`1160`	`+-- Check visibility of user mapping data`
	`1161`	`+SET ROLE regress_test_role;`
	`1162`	`+CREATE SERVER s10 FOREIGN DATA WRAPPER foo;`
	`1163`	`+CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');`
	`1164`	`+GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;`
	`1165`	`+-- owner of server can see option fields`
	`1166`	`+\deu+`
	`1167`	`+ List of user mappings`
	`1168`	`+ Server \| User name \| FDW Options`
	`1169`	`+--------+-------------------+-------------------`
	`1170`	`+ s10 \| public \| ("user" 'secret')`
	`1171`	`+ s4 \| foreign_data_user \|`
	`1172`	`+ s5 \| regress_test_role \| (modified '1')`
	`1173`	`+ s6 \| regress_test_role \|`
	`1174`	`+ s8 \| foreign_data_user \|`
	`1175`	`+ s8 \| public \|`
	`1176`	`+ s9 \| unprivileged_role \|`
	`1177`	`+ t1 \| public \| (modified '1')`
	`1178`	`+(8 rows)`
	`1179`	`+`
	`1180`	`+RESET ROLE;`
	`1181`	`+-- superuser can see option fields`
	`1182`	`+\deu+`
	`1183`	`+ List of user mappings`
	`1184`	`+ Server \| User name \| FDW Options`
	`1185`	`+--------+-------------------+---------------------`
	`1186`	`+ s10 \| public \| ("user" 'secret')`
	`1187`	`+ s4 \| foreign_data_user \|`
	`1188`	`+ s5 \| regress_test_role \| (modified '1')`
	`1189`	`+ s6 \| regress_test_role \|`
	`1190`	`+ s8 \| foreign_data_user \| (password 'public')`
	`1191`	`+ s8 \| public \|`
	`1192`	`+ s9 \| unprivileged_role \|`
	`1193`	`+ t1 \| public \| (modified '1')`
	`1194`	`+(8 rows)`
	`1195`	`+`
	`1196`	`+-- unprivileged user cannot see option fields`
	`1197`	`+SET ROLE unprivileged_role;`
	`1198`	`+\deu+`
	`1199`	`+ List of user mappings`
	`1200`	`+ Server \| User name \| FDW Options`
	`1201`	`+--------+-------------------+-------------`
	`1202`	`+ s10 \| public \|`
	`1203`	`+ s4 \| foreign_data_user \|`
	`1204`	`+ s5 \| regress_test_role \|`
	`1205`	`+ s6 \| regress_test_role \|`
	`1206`	`+ s8 \| foreign_data_user \|`
	`1207`	`+ s8 \| public \|`
	`1208`	`+ s9 \| unprivileged_role \|`
	`1209`	`+ t1 \| public \|`
	`1210`	`+(8 rows)`
	`1211`	`+`
`1160`	`1212`	`RESET ROLE;`
	`1213`	`+DROP SERVER s10 CASCADE;`
	`1214`	`+NOTICE: drop cascades to user mapping for public on server s10`
`1161`	`1215`	`-- DROP FOREIGN TABLE`
`1162`	`1216`	`DROP FOREIGN TABLE no_table; -- ERROR`
`1163`	`1217`	`ERROR: foreign table "no_table" does not exist`

`‎src/test/regress/expected/rules.out`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2026,7 +2026,9 @@ SELECT viewname, definition FROM pg_views WHERE schemaname <> 'information_schem`
`2026`	`2026`	`\| ELSE a.rolname +`
`2027`	`2027`	`\| END AS usename, +`
`2028`	`2028`	`\| CASE +`
`2029`		`- \| WHEN (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text)) THEN u.umoptions +`
	`2029`	`+ \| WHEN ((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR ( SELECT pg_authid.rolsuper +`
	`2030`	`+ \| FROM pg_authid +`
	`2031`	`+ \| WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions +`
`2030`	`2032`	`\| ELSE NULL::text[] +`
`2031`	`2033`	`\| END AS umoptions +`
`2032`	`2034`	`\| FROM ((pg_user_mapping u +`

`‎src/test/regress/sql/foreign_data.sql`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -468,7 +468,22 @@ ALTER SERVER s9 VERSION '1.2'; -- ERROR`
`468`	`468`	`GRANT USAGEON FOREIGN SERVER s9 TO regress_test_role;-- WARNING`
`469`	`469`	`CREATEUSERMAPPING FORcurrent_user SERVER s9;`
`470`	`470`	`DROP SERVER s9 CASCADE;-- ERROR`
	`471`	`+`
	`472`	`+-- Check visibility of user mapping data`
	`473`	`+SET ROLE regress_test_role;`
	`474`	`+CREATE SERVER s10 FOREIGN DATA WRAPPER foo;`
	`475`	`+CREATEUSERMAPPING FOR public SERVER s10 OPTIONS (user'secret');`
	`476`	`+GRANT USAGEON FOREIGN SERVER s10 TO unprivileged_role;`
	`477`	`+-- owner of server can see option fields`
	`478`	`+\deu+`
	`479`	`+RESET ROLE;`
	`480`	`+-- superuser can see option fields`
	`481`	`+\deu+`
	`482`	`+-- unprivileged user cannot see option fields`
	`483`	`+SET ROLE unprivileged_role;`
	`484`	`+\deu+`
`471`	`485`	`RESET ROLE;`
	`486`	`+DROP SERVER s10 CASCADE;`
`472`	`487`
`473`	`488`	`-- DROP FOREIGN TABLE`
`474`	`489`	`DROP FOREIGN TABLE no_table;-- ERROR`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb5b1240

File tree

5 files changed

5 files changed

`‎doc/src/sgml/catalogs.sgml`

`‎src/backend/catalog/system_views.sql`

`‎src/test/regress/expected/foreign_data.out`

`‎src/test/regress/expected/rules.out`

`‎src/test/regress/sql/foreign_data.sql`

0 commit comments