pgsql: Prevent privilege escalation in explicit calls to PL validators.
| От | Noah Misch |
|---|---|
| Тема | pgsql: Prevent privilege escalation in explicit calls to PL validators. |
| Дата | |
| Msg-id | E1WFPlR-0000fO-76@gemulon.postgresql.org обсуждение исходный текст |
| Список | pgsql-committers |
Prevent privilege escalation in explicit calls to PL validators. The primary role of PL validators is to be called implicitly during CREATE FUNCTION, but they are also normal functions that a user can call explicitly. Add a permissions check to each validator to ensure that a user cannot use explicit validator calls to achieve things he could not otherwise achieve. Back-patch to 8.4 (all supported versions). Non-core procedural language extensions ought to make the same two-line change to their own validators. Andres Freund, reviewed by Tom Lane and Noah Misch. Security: CVE-2014-0061 Branch ------ master Details ------- http://git.postgresql.org/pg/commitdiff/537cbd35c893e67a63c59bc636c3e888bd228bc7 Modified Files -------------- doc/src/sgml/plhandler.sgml | 5 ++- src/backend/catalog/pg_proc.c | 9 ++++ src/backend/commands/functioncmds.c | 1 - src/backend/utils/fmgr/fmgr.c | 84 +++++++++++++++++++++++++++++++++++ src/include/fmgr.h | 1 + src/pl/plperl/plperl.c | 4 ++ src/pl/plpgsql/src/pl_handler.c | 3 ++ src/pl/plpython/plpy_main.c | 4 ++ 8 files changed, 109 insertions(+), 2 deletions(-)
В списке pgsql-committers по дате отправления: