NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commitad0009e

committed

Force PL and range-type support functions to be owned by a superuser.

We allow non-superusers to create procedural languages (with restrictions)and range datatypes. Previously, the automatically-created supportfunctions for these objects ended up owned by the creating user. Thisrepresents a rather considerable security hazard, because the owning usermight be able to alter a support function's definition in such a way as tocrash the server, inject trojan-horse SQL code, or even execute arbitraryC code directly. It appears that right now the only actually exploitableproblem is the infinite-recursion bug fixed in the previous patch forCVE-2012-2655. However, it's not hard to imagine that future additions ofmore ALTER FUNCTION capability might unintentionally open up new hazards.To forestall future problems, cause these support functions to be owned bythe bootstrap superuser, not the user creating the parent object.

1 parent33c6eaf commitad0009eCopy full SHA for ad0009e

File tree

6 files changed

+10

-1

lines changed

src
- backend
  - catalog
    - pg_aggregate.c
    - pg_proc.c
  - commands
- include/catalog
  - pg_proc_fn.h

6 files changed

+10

-1

lines changed

`‎src/backend/catalog/pg_aggregate.c`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -233,6 +233,7 @@ AggregateCreate(const char *aggName,`
`233`	`233`	`false,/* no replacement */`
`234`	`234`	`false,/* doesn't return a set */`
`235`	`235`	`finaltype,/* returnType */`
	`236`	`+GetUserId(),/* proowner */`
`236`	`237`	`INTERNALlanguageId,/* languageObjectId */`
`237`	`238`	`InvalidOid,/* no validator */`
`238`	`239`	`"aggregate_dummy",/* placeholder proc */`

`‎src/backend/catalog/pg_proc.c`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,7 @@ ProcedureCreate(const char *procedureName,`
`69`	`69`	`boolreplace,`
`70`	`70`	`boolreturnsSet,`
`71`	`71`	`OidreturnType,`
	`72`	`+Oidproowner,`
`72`	`73`	`OidlanguageObjectId,`
`73`	`74`	`OidlanguageValidator,`
`74`	`75`	`constchar*prosrc,`
`@@ -100,7 +101,6 @@ ProcedureCreate(const char *procedureName,`
`100`	`101`	`boolinternalInParam= false;`
`101`	`102`	`boolinternalOutParam= false;`
`102`	`103`	`OidvariadicType=InvalidOid;`
`103`		`-Oidproowner=GetUserId();`
`104`	`104`	`Acl*proacl=NULL;`
`105`	`105`	`Relationrel;`
`106`	`106`	`HeapTupletup;`

`‎src/backend/commands/functioncmds.c`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -978,6 +978,7 @@ CreateFunction(CreateFunctionStmt stmt, const char queryString)`
`978`	`978`	`stmt->replace,`
`979`	`979`	`returnsSet,`
`980`	`980`	`prorettype,`
	`981`	`+GetUserId(),`
`981`	`982`	`languageOid,`
`982`	`983`	`languageValidator,`
`983`	`984`	`prosrc_str,/* converted to text later */`

`‎src/backend/commands/proclang.c`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`	`#include"catalog/dependency.h"`
`19`	`19`	`#include"catalog/indexing.h"`
`20`	`20`	`#include"catalog/objectaccess.h"`
	`21`	`+#include"catalog/pg_authid.h"`
`21`	`22`	`#include"catalog/pg_language.h"`
`22`	`23`	`#include"catalog/pg_namespace.h"`
`23`	`24`	`#include"catalog/pg_pltemplate.h"`
`@@ -124,6 +125,7 @@ CreateProceduralLanguage(CreatePLangStmt *stmt)`
`124`	`125`	`false,/* replace */`
`125`	`126`	`false,/* returnsSet */`
`126`	`127`	`LANGUAGE_HANDLEROID,`
	`128`	`+BOOTSTRAP_SUPERUSERID,`
`127`	`129`	`ClanguageId,`
`128`	`130`	`F_FMGR_C_VALIDATOR,`
`129`	`131`	`pltemplate->tmplhandler,`
`@@ -160,6 +162,7 @@ CreateProceduralLanguage(CreatePLangStmt *stmt)`
`160`	`162`	`false,/* replace */`
`161`	`163`	`false,/* returnsSet */`
`162`	`164`	`VOIDOID,`
	`165`	`+BOOTSTRAP_SUPERUSERID,`
`163`	`166`	`ClanguageId,`
`164`	`167`	`F_FMGR_C_VALIDATOR,`
`165`	`168`	`pltemplate->tmplinline,`
`@@ -199,6 +202,7 @@ CreateProceduralLanguage(CreatePLangStmt *stmt)`
`199`	`202`	`false,/* replace */`
`200`	`203`	`false,/* returnsSet */`
`201`	`204`	`VOIDOID,`
	`205`	`+BOOTSTRAP_SUPERUSERID,`
`202`	`206`	`ClanguageId,`
`203`	`207`	`F_FMGR_C_VALIDATOR,`
`204`	`208`	`pltemplate->tmplvalidator,`

`‎src/backend/commands/typecmds.c`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@`
`38`	`38`	`#include"catalog/dependency.h"`
`39`	`39`	`#include"catalog/heap.h"`
`40`	`40`	`#include"catalog/indexing.h"`
	`41`	`+#include"catalog/pg_authid.h"`
`41`	`42`	`#include"catalog/pg_collation.h"`
`42`	`43`	`#include"catalog/pg_constraint.h"`
`43`	`44`	`#include"catalog/pg_depend.h"`
`@@ -1513,6 +1514,7 @@ makeRangeConstructors(const char *name, Oid namespace,`
`1513`	`1514`	`false,/* replace */`
`1514`	`1515`	`false,/* returns set */`
`1515`	`1516`	`rangeOid,/* return type */`
	`1517`	`+BOOTSTRAP_SUPERUSERID,/* proowner */`
`1516`	`1518`	`INTERNALlanguageId,/* language */`
`1517`	`1519`	`F_FMGR_INTERNAL_VALIDATOR,/* language validator */`
`1518`	`1520`	`prosrc[i],/* prosrc */`

`‎src/include/catalog/pg_proc_fn.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ extern Oid ProcedureCreate(const char *procedureName,`
`21`	`21`	`boolreplace,`
`22`	`22`	`boolreturnsSet,`
`23`	`23`	`OidreturnType,`
	`24`	`+Oidproowner,`
`24`	`25`	`OidlanguageObjectId,`
`25`	`26`	`OidlanguageValidator,`
`26`	`27`	`constchar*prosrc,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitad0009e

File tree

6 files changed

6 files changed

`‎src/backend/catalog/pg_aggregate.c`

`‎src/backend/catalog/pg_proc.c`

`‎src/backend/commands/functioncmds.c`

`‎src/backend/commands/proclang.c`

`‎src/backend/commands/typecmds.c`

`‎src/include/catalog/pg_proc_fn.h`

0 commit comments