Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf8d799e

Browse files
committed
Handle RLS dependencies in inlined set-returning functions properly.
If an SRF in the FROM clause references a table having row-levelsecurity policies, and we inline that SRF into the calling query,we neglected to mark the plan as potentially dependent on whichrole is executing it. This could lead to later executions in thesame session returning or hiding rows that should have been hiddenor returned instead.Our thanks to Wolfgang Walther for reporting this problem.Stephen Frost and Tom LaneSecurity:CVE-2023-2455
1 parent01e8182 commitf8d799e

File tree

3 files changed

+54
-0
lines changed

3 files changed

+54
-0
lines changed

‎src/backend/optimizer/util/clauses.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5095,6 +5095,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte)
50955095
*/
50965096
record_plan_function_dependency(root,func_oid);
50975097

5098+
/*
5099+
* We must also notice if the inserted query adds a dependency on the
5100+
* calling role due to RLS quals.
5101+
*/
5102+
if (querytree->hasRowSecurity)
5103+
root->glob->dependsOnRole= true;
5104+
50985105
returnquerytree;
50995106

51005107
/* Here if func is not inlinable: release temp memory and return NULL */

‎src/test/regress/expected/rowsecurity.out

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4019,6 +4019,33 @@ SELECT * FROM rls_tbl;
40194019

40204020
DROP TABLE rls_tbl;
40214021
RESET SESSION AUTHORIZATION;
4022+
-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
4023+
create table rls_t (c text);
4024+
insert into rls_t values ('invisible to bob');
4025+
alter table rls_t enable row level security;
4026+
grant select on rls_t to regress_rls_alice, regress_rls_bob;
4027+
create policy p1 on rls_t for select to regress_rls_alice using (true);
4028+
create policy p2 on rls_t for select to regress_rls_bob using (false);
4029+
create function rls_f () returns setof rls_t
4030+
stable language sql
4031+
as $$ select * from rls_t $$;
4032+
prepare q as select current_user, * from rls_f();
4033+
set role regress_rls_alice;
4034+
execute q;
4035+
current_user | c
4036+
-------------------+------------------
4037+
regress_rls_alice | invisible to bob
4038+
(1 row)
4039+
4040+
set role regress_rls_bob;
4041+
execute q;
4042+
current_user | c
4043+
--------------+---
4044+
(0 rows)
4045+
4046+
RESET ROLE;
4047+
DROP FUNCTION rls_f();
4048+
DROP TABLE rls_t;
40224049
--
40234050
-- Clean up objects
40244051
--

‎src/test/regress/sql/rowsecurity.sql

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1873,6 +1873,26 @@ SELECT * FROM rls_tbl;
18731873
DROPTABLE rls_tbl;
18741874
RESET SESSION AUTHORIZATION;
18751875

1876+
-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
1877+
createtablerls_t (ctext);
1878+
insert into rls_tvalues ('invisible to bob');
1879+
altertable rls_t enable row level security;
1880+
grantselecton rls_t to regress_rls_alice, regress_rls_bob;
1881+
create policy p1on rls_t forselect to regress_rls_alice using (true);
1882+
create policy p2on rls_t forselect to regress_rls_bob using (false);
1883+
createfunctionrls_f () returns setof rls_t
1884+
stable language sql
1885+
as $$select*from rls_t $$;
1886+
prepare qasselectcurrent_user,*from rls_f();
1887+
set role regress_rls_alice;
1888+
execute q;
1889+
set role regress_rls_bob;
1890+
execute q;
1891+
1892+
RESET ROLE;
1893+
DROPFUNCTION rls_f();
1894+
DROPTABLE rls_t;
1895+
18761896
--
18771897
-- Clean up objects
18781898
--

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp