rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/src/backend
History
Tom Lane 891e6e7bfd Require execute permission on the trigger function for CREATE TRIGGER. 
This check was overlooked when we added function execute permissions to the
system years ago.  For an ordinary trigger function it's not a big deal,
since trigger functions execute with the permissions of the table owner,
so they couldn't do anything the user issuing the CREATE TRIGGER couldn't
have done anyway.  However, if a trigger function is SECURITY DEFINER,
that is not the case.  The lack of checking would allow another user to
install it on his own table and then invoke it with, essentially, forged
input data; which the trigger function is unlikely to realize, so it might
do something undesirable, for instance insert false entries in an audit log
table.

Reported by Dinesh Kumar, patch by Robert Haas

Security: CVE-2012-0866
 		2012-02-23 15:38:56 -05:00
..
access Don't clear btpo_cycleid during _bt_vacuum_one_page. 2012-02-21 15:03:36 -05:00
bootstrap Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
catalog REASSIGN OWNED: Support foreign data wrappers and servers 2012-02-22 17:33:12 -03:00
commands Require execute permission on the trigger function for CREATE TRIGGER. 2012-02-23 15:38:56 -05:00
executor Make EXPLAIN (BUFFERS) track blocks dirtied, as well as those written. 2012-02-22 20:33:05 -05:00
foreign Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
lib Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
libpq Fix build without OpenSSL 2012-02-23 10:20:25 +02:00
main Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
nodes Use parameterized paths to generate inner indexscans more flexibly. 2012-01-27 19:26:38 -05:00
optimizer Preserve column names in the execution-time tupledesc for a RowExpr. 2012-02-14 17:34:56 -05:00
parser Make CREATE/ALTER FUNCTION support NOT LEAKPROOF. 2012-02-15 10:45:08 -05:00
po Translation updates 2011-08-17 14:07:46 +03:00
port Fix poll() implementation of WaitLatchOrSocket to notice postmaster death. 2012-01-15 22:08:03 +02:00
postmaster Avoid double close of file handle in syslogger on win32 2012-02-21 17:12:25 +01:00
regex Fix regex back-references that are directly quantified with *. 2012-02-20 00:52:33 -05:00
replication Minor bug fix and cleanup from self-review of sync rep queues patch. 2012-01-30 14:36:17 +00:00
rewrite Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
snowball Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
storage Make EXPLAIN (BUFFERS) track blocks dirtied, as well as those written. 2012-02-22 20:33:05 -05:00
tcop Run a portal's cleanup hook immediately when pushing it to FAILED state. 2012-02-15 16:19:01 -05:00
tsearch Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
utils Add parameters for controlling locations of server-side SSL files 2012-02-22 23:40:46 +02:00
.gitignore Add gitignore for mingw/cygwin build outputs 2011-06-09 18:11:47 +02:00
Makefile Speed up in-memory tuplesorting. 2012-02-15 12:13:32 -05:00
common.mk Workaround for recursive make breakage 2011-01-13 09:32:06 +02:00
nls.mk Sort file list when creating gettext-files 2011-12-27 20:20:56 +02:00