rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/src/backend
History
Tom Lane 50c6bb0224 Fix enforcement of SELECT FOR UPDATE permissions with nested views. 
SELECT FOR UPDATE on a view should require UPDATE (as well as SELECT)
permissions on the view, and then the view's owner needs those same
permissions against the relations it references, and so on all the way
down to base tables.  But ApplyRetrieveRule did things in the wrong order,
resulting in failure to mark intermediate view levels as needing UPDATE
permission.  Thus for example, if user A creates a table T and an updatable
view V1 on T, then grants only SELECT permissions on V1 to user B, B could
create a second view V2 on V1 and then would be allowed to perform SELECT
FOR UPDATE via V2 (since V1 wouldn't be checked for UPDATE permissions).

To fix, just switch the order of expanding sub-views and marking referenced
objects as needing UPDATE permission.  I think additional simplifications
are now possible, but that's distinct from the bug fix proper.

This is certainly a security issue, but the consequences are pretty minor
(just the ability to lock rows that shouldn't be lockable).  Against that
we have a small risk of breaking applications that are working as-desired,
since nested views have behaved this way since such cases worked at all.
On balance I'm inclined not to back-patch.

Per report from Alexander Lakhin.

Discussion: https://postgr.es/m/24db7b8f-3de5-e25f-7ab9-d8848351d42c@gmail.com
 		2018-04-14 15:38:09 -04:00
..
access Prevent segfault in expand_tuple with no missing values 2018-04-13 16:43:33 -04:00
bootstrap Allow group access on PGDATA 2018-04-07 17:45:39 -04:00
catalog Add comment about default partition in check_new_partition_bound 2018-04-12 16:52:29 -03:00
commands Support named and default arguments in CALL 2018-04-14 09:13:53 -04:00
executor Revert MERGE patch 2018-04-12 11:22:56 +01:00
foreign Remove bogus "extern" annotations on function definitions. 2018-02-19 12:07:44 -05:00
jit Fix partial-build problems introduced by having more generated headers. 2018-04-09 16:42:10 -04:00
lib Fix non-portable use of round(). 2018-03-31 20:26:47 -07:00
libpq Make be-secure-common.c more consistent for future SSL implementations 2018-04-02 11:37:40 -04:00
main Update copyright for 2018 2018-01-02 23:30:12 -05:00
nodes Revert MERGE patch 2018-04-12 11:22:56 +01:00
optimizer Support named and default arguments in CALL 2018-04-14 09:13:53 -04:00
parser Cleanup covering infrastructure 2018-04-12 16:37:22 +03:00
partitioning Add missed bms_copy() in perform_pruning_combine_step 2018-04-09 10:54:28 -03:00
po Translation updates 2017-08-07 13:55:34 -04:00
port Fix and improve pg_atomic_flag fallback implementation. 2018-04-06 19:55:32 -07:00
postmaster Allocate enough shared string memory for stats of auxiliary processes. 2018-04-11 23:39:49 +03:00
regex Update copyright for 2018 2018-01-02 23:30:12 -05:00
replication Improve code comments 2018-04-14 10:04:36 -04:00
rewrite Fix enforcement of SELECT FOR UPDATE permissions with nested views. 2018-04-14 15:38:09 -04:00
snowball Avoid unnecessary use of pg_strcasecmp for already-downcased identifiers. 2018-01-26 18:25:14 -05:00
statistics Fast ALTER TABLE ADD COLUMN with a non-NULL default 2018-03-28 10:43:52 +10:30
storage Fix incorrect close() call in dsm_impl_mmap(). 2018-04-10 18:34:54 -04:00
tcop Revert MERGE patch 2018-04-12 11:22:56 +01:00
tsearch Improve regression test coverage for src/backend/tsearch/spell.c. 2018-04-13 13:49:52 -04:00
utils Use the right memory context for partkey's FmgrInfo 2018-04-12 15:08:10 -03:00
.gitignore Add .gitignore entries for AIX-specific intermediate build artifacts. 2015-07-08 20:44:22 -04:00
Makefile Fix partial-build problems introduced by having more generated headers. 2018-04-09 16:42:10 -04:00
common.mk Remove PARTIAL_LINKING build mode. 2018-03-30 17:33:04 -07:00
nls.mk Translation updates 2017-05-15 12:19:54 -04:00