Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf4f2883

Browse files
committed
Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security context
The internal commands in REFRESH MATERIALIZED VIEW CONCURRENTLY arecorrectly executed in SECURITY_RESTRICTED_OPERATION mode, except forcreating the temporary "diff" table, because you cannot createtemporary tables in SRO mode. But creating the temporary "diff" tableis a pretty complex CTAS command that selects from another temporarytable created earlier in the command. If you can cajole that CTAScommand to execute code defined by the table owner, the table ownercan run code with the privileges of the user running the REFRESHcommand.The proof-of-concept reported to the security team relied on CREATERULE to convert the internally-built temp table to a view. That's notpossible since commitb23cd18, and I was not able to find adifferent way to turn the SELECT on the temp table into codeexecution, so as far as I know this is only exploitable in v15 andbelow. That's a fiddly assumption though, so apply this patch tomaster and all stable versions.Thanks to Pedro Gallegos for the report.Security:CVE-2023-5869Reviewed-by: Noah Misch
1 parent42a13de commitf4f2883

File tree

1 file changed

+26
-7
lines changed

1 file changed

+26
-7
lines changed

‎src/backend/commands/matview.c

Lines changed: 26 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -655,13 +655,35 @@ refresh_by_match_merge(Oid matviewOid, Oid tempOid, Oid relowner,
655655
SPI_getvalue(SPI_tuptable->vals[0],SPI_tuptable->tupdesc,1))));
656656
}
657657

658+
/*
659+
* Create the temporary "diff" table.
660+
*
661+
* Temporarily switch out of the SECURITY_RESTRICTED_OPERATION context,
662+
* because you cannot create temp tables in SRO context. For extra
663+
* paranoia, add the composite type column only after switching back to
664+
* SRO context.
665+
*/
658666
SetUserIdAndSecContext(relowner,
659667
save_sec_context |SECURITY_LOCAL_USERID_CHANGE);
668+
resetStringInfo(&querybuf);
669+
appendStringInfo(&querybuf,
670+
"CREATE TEMP TABLE %s (tid pg_catalog.tid)",
671+
diffname);
672+
if (SPI_exec(querybuf.data,0)!=SPI_OK_UTILITY)
673+
elog(ERROR,"SPI_exec failed: %s",querybuf.data);
674+
SetUserIdAndSecContext(relowner,
675+
save_sec_context |SECURITY_RESTRICTED_OPERATION);
676+
resetStringInfo(&querybuf);
677+
appendStringInfo(&querybuf,
678+
"ALTER TABLE %s ADD COLUMN newdata %s",
679+
diffname,tempname);
680+
if (SPI_exec(querybuf.data,0)!=SPI_OK_UTILITY)
681+
elog(ERROR,"SPI_exec failed: %s",querybuf.data);
660682

661-
/* Start building the query forcreating the diff table. */
683+
/* Start building the query forpopulating the diff table. */
662684
resetStringInfo(&querybuf);
663685
appendStringInfo(&querybuf,
664-
"CREATE TEMP TABLE %s AS "
686+
"INSERT INTO %s "
665687
"SELECT mv.ctid AS tid, newdata.*::%s AS newdata "
666688
"FROM %s mv FULL JOIN %s newdata ON (",
667689
diffname,tempname,matviewname,tempname);
@@ -790,13 +812,10 @@ refresh_by_match_merge(Oid matviewOid, Oid tempOid, Oid relowner,
790812
"WHERE newdata.* IS NULL OR mv.* IS NULL "
791813
"ORDER BY tid");
792814

793-
/*Create the temporary "diff" table. */
794-
if (SPI_exec(querybuf.data,0)!=SPI_OK_UTILITY)
815+
/*Populate the temporary "diff" table. */
816+
if (SPI_exec(querybuf.data,0)!=SPI_OK_INSERT)
795817
elog(ERROR,"SPI_exec failed: %s",querybuf.data);
796818

797-
SetUserIdAndSecContext(relowner,
798-
save_sec_context |SECURITY_RESTRICTED_OPERATION);
799-
800819
/*
801820
* We have no further use for data from the "full-data" temp table, but we
802821
* must keep it around because its type is referenced from the diff table.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp