rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix priv checks for ALTER <object> DEPENDS ON EXTENSION 

Marking an object as dependant on an extension did not have any
privilege check whatsoever; this allowed any user to mark objects as
droppable by anyone able to DROP EXTENSION, which could be used to cause
system-wide havoc.  Disallow by checking that the calling user owns the
mentioned object.

(No constraints are placed on the extension.)

Security: CVE-2020-1720
Reported-by: Tom Lane
Discussion: 31605.1566429043@sss.pgh.pa.us
This commit is contained in:
Alvaro Herrera 2020-02-10 11:47:09 -03:00
parent c59b0be988
commit bdd19e48a8
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/backend/commands/alter.c
View File

@ -432,6 +432,17 @@ ExecAlterObjectDependsStmt(AlterObjectDependsStmt *stmt, ObjectAddress *refAddre
get_object_address_rv(stmt->objectType, stmt->relation, (List *) stmt->object,
&rel, AccessExclusiveLock, false);
/*
* Verify that the user is entitled to run the command.
*
* We don't check any privileges on the extension, because that's not
* needed. The object owner is stipulating, by running this command, that
* the extension owner can drop the object whenever they feel like it,
* which is not considered a problem.
*/
check_object_ownership(GetUserId(),
stmt->objectType, address, stmt->object, rel);
/*
* If a relation was involved, it would have been opened and locked. We
* don't need the relation here, but we'll retain the lock until commit.