diff options
author | Robert Joslyn <robert.joslyn@redrectangle.org> | 2023-08-20 18:18:30 -0700 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-09-04 09:05:03 -0400 |
commit | d96f8c485326e3bf4420d28aeab4c4fae8a48906 (patch) | |
tree | 2e22795c36713a3ada15802580467dd44e37553e | |
parent | 1ff41cb9c6c49373e7a5598e2e444af68428ca46 (diff) | |
download | meta-openembedded-d96f8c485326e3bf4420d28aeab4c4fae8a48906.tar.gz |
postgresql: Update to 12.16
This is a minor release to address CVEs and other bug fixes without new
features. Remove patches that are fixed in this release. Release notes are
available at:
https://www.postgresql.org/docs/release/12.10/
https://www.postgresql.org/docs/release/12.11/
https://www.postgresql.org/docs/release/12.12/
https://www.postgresql.org/docs/release/12.13/
https://www.postgresql.org/docs/release/12.14/
https://www.postgresql.org/docs/release/12.15/
https://www.postgresql.org/docs/release/12.16/
License-Update: Copyright year updated
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
8 files changed, 11 insertions, 2307 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch deleted file mode 100644 index 6f0d5ac06..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch +++ /dev/null | |||
@@ -1,947 +0,0 @@ | |||
1 | From 31eefa1efc8eecb6ab91c8835d2952d44a3b1ae1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 22 Sep 2022 11:20:41 +0530 | ||
4 | Subject: [PATCH] CVE-2022-1552 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda && https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=677a494789062ca88e0142a17bedd5415f6ab0aa] | ||
7 | |||
8 | CVE: CVE-2022-1552 | ||
9 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
10 | --- | ||
11 | contrib/amcheck/expected/check_btree.out | 23 ++++++ | ||
12 | contrib/amcheck/sql/check_btree.sql | 21 +++++ | ||
13 | contrib/amcheck/verify_nbtree.c | 27 +++++++ | ||
14 | src/backend/access/brin/brin.c | 29 ++++++- | ||
15 | src/backend/catalog/index.c | 65 ++++++++++++---- | ||
16 | src/backend/commands/cluster.c | 37 ++++++--- | ||
17 | src/backend/commands/indexcmds.c | 98 ++++++++++++++++++++---- | ||
18 | src/backend/commands/matview.c | 30 +++----- | ||
19 | src/backend/utils/init/miscinit.c | 24 +++--- | ||
20 | src/test/regress/expected/privileges.out | 71 +++++++++++++++++ | ||
21 | src/test/regress/sql/privileges.sql | 64 ++++++++++++++++ | ||
22 | 11 files changed, 422 insertions(+), 67 deletions(-) | ||
23 | |||
24 | diff --git a/contrib/amcheck/expected/check_btree.out b/contrib/amcheck/expected/check_btree.out | ||
25 | index 59a805d..0fd6ea0 100644 | ||
26 | --- a/contrib/amcheck/expected/check_btree.out | ||
27 | +++ b/contrib/amcheck/expected/check_btree.out | ||
28 | @@ -168,11 +168,34 @@ SELECT bt_index_check('toasty', true); | ||
29 | |||
30 | (1 row) | ||
31 | |||
32 | +-- | ||
33 | +-- Check that index expressions and predicates are run as the table's owner | ||
34 | +-- | ||
35 | +TRUNCATE bttest_a; | ||
36 | +INSERT INTO bttest_a SELECT * FROM generate_series(1, 1000); | ||
37 | +ALTER TABLE bttest_a OWNER TO regress_bttest_role; | ||
38 | +-- A dummy index function checking current_user | ||
39 | +CREATE FUNCTION ifun(int8) RETURNS int8 AS $$ | ||
40 | +BEGIN | ||
41 | + ASSERT current_user = 'regress_bttest_role', | ||
42 | + format('ifun(%s) called by %s', $1, current_user); | ||
43 | + RETURN $1; | ||
44 | +END; | ||
45 | +$$ LANGUAGE plpgsql IMMUTABLE; | ||
46 | +CREATE INDEX bttest_a_expr_idx ON bttest_a ((ifun(id) + ifun(0))) | ||
47 | + WHERE ifun(id + 10) > ifun(10); | ||
48 | +SELECT bt_index_check('bttest_a_expr_idx', true); | ||
49 | + bt_index_check | ||
50 | +---------------- | ||
51 | + | ||
52 | +(1 row) | ||
53 | + | ||
54 | -- cleanup | ||
55 | DROP TABLE bttest_a; | ||
56 | DROP TABLE bttest_b; | ||
57 | DROP TABLE bttest_multi; | ||
58 | DROP TABLE delete_test_table; | ||
59 | DROP TABLE toast_bug; | ||
60 | +DROP FUNCTION ifun(int8); | ||
61 | DROP OWNED BY regress_bttest_role; -- permissions | ||
62 | DROP ROLE regress_bttest_role; | ||
63 | diff --git a/contrib/amcheck/sql/check_btree.sql b/contrib/amcheck/sql/check_btree.sql | ||
64 | index 99acbc8..3248187 100644 | ||
65 | --- a/contrib/amcheck/sql/check_btree.sql | ||
66 | +++ b/contrib/amcheck/sql/check_btree.sql | ||
67 | @@ -110,11 +110,32 @@ INSERT INTO toast_bug SELECT repeat('a', 2200); | ||
68 | -- Should not get false positive report of corruption: | ||
69 | SELECT bt_index_check('toasty', true); | ||
70 | |||
71 | +-- | ||
72 | +-- Check that index expressions and predicates are run as the table's owner | ||
73 | +-- | ||
74 | +TRUNCATE bttest_a; | ||
75 | +INSERT INTO bttest_a SELECT * FROM generate_series(1, 1000); | ||
76 | +ALTER TABLE bttest_a OWNER TO regress_bttest_role; | ||
77 | +-- A dummy index function checking current_user | ||
78 | +CREATE FUNCTION ifun(int8) RETURNS int8 AS $$ | ||
79 | +BEGIN | ||
80 | + ASSERT current_user = 'regress_bttest_role', | ||
81 | + format('ifun(%s) called by %s', $1, current_user); | ||
82 | + RETURN $1; | ||
83 | +END; | ||
84 | +$$ LANGUAGE plpgsql IMMUTABLE; | ||
85 | + | ||
86 | +CREATE INDEX bttest_a_expr_idx ON bttest_a ((ifun(id) + ifun(0))) | ||
87 | + WHERE ifun(id + 10) > ifun(10); | ||
88 | + | ||
89 | +SELECT bt_index_check('bttest_a_expr_idx', true); | ||
90 | + | ||
91 | -- cleanup | ||
92 | DROP TABLE bttest_a; | ||
93 | DROP TABLE bttest_b; | ||
94 | DROP TABLE bttest_multi; | ||
95 | DROP TABLE delete_test_table; | ||
96 | DROP TABLE toast_bug; | ||
97 | +DROP FUNCTION ifun(int8); | ||
98 | DROP OWNED BY regress_bttest_role; -- permissions | ||
99 | DROP ROLE regress_bttest_role; | ||
100 | diff --git a/contrib/amcheck/verify_nbtree.c b/contrib/amcheck/verify_nbtree.c | ||
101 | index 700a02f..cb6475d 100644 | ||
102 | --- a/contrib/amcheck/verify_nbtree.c | ||
103 | +++ b/contrib/amcheck/verify_nbtree.c | ||
104 | @@ -228,6 +228,9 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, | ||
105 | Relation indrel; | ||
106 | Relation heaprel; | ||
107 | LOCKMODE lockmode; | ||
108 | + Oid save_userid; | ||
109 | + int save_sec_context; | ||
110 | + int save_nestlevel; | ||
111 | |||
112 | if (parentcheck) | ||
113 | lockmode = ShareLock; | ||
114 | @@ -244,9 +247,27 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, | ||
115 | */ | ||
116 | heapid = IndexGetRelation(indrelid, true); | ||
117 | if (OidIsValid(heapid)) | ||
118 | + { | ||
119 | heaprel = table_open(heapid, lockmode); | ||
120 | + | ||
121 | + /* | ||
122 | + * Switch to the table owner's userid, so that any index functions are | ||
123 | + * run as that user. Also lock down security-restricted operations | ||
124 | + * and arrange to make GUC variable changes local to this command. | ||
125 | + */ | ||
126 | + GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
127 | + SetUserIdAndSecContext(heaprel->rd_rel->relowner, | ||
128 | + save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
129 | + save_nestlevel = NewGUCNestLevel(); | ||
130 | + } | ||
131 | else | ||
132 | + { | ||
133 | heaprel = NULL; | ||
134 | + /* for "gcc -Og" https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78394 */ | ||
135 | + save_userid = InvalidOid; | ||
136 | + save_sec_context = -1; | ||
137 | + save_nestlevel = -1; | ||
138 | + } | ||
139 | |||
140 | /* | ||
141 | * Open the target index relations separately (like relation_openrv(), but | ||
142 | @@ -293,6 +314,12 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, | ||
143 | heapallindexed, rootdescend); | ||
144 | } | ||
145 | |||
146 | + /* Roll back any GUC changes executed by index functions */ | ||
147 | + AtEOXact_GUC(false, save_nestlevel); | ||
148 | + | ||
149 | + /* Restore userid and security context */ | ||
150 | + SetUserIdAndSecContext(save_userid, save_sec_context); | ||
151 | + | ||
152 | /* | ||
153 | * Release locks early. That's ok here because nothing in the called | ||
154 | * routines will trigger shared cache invalidations to be sent, so we can | ||
155 | diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c | ||
156 | index c7b403b..781cac2 100644 | ||
157 | --- a/src/backend/access/brin/brin.c | ||
158 | +++ b/src/backend/access/brin/brin.c | ||
159 | @@ -873,6 +873,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) | ||
160 | Oid heapoid; | ||
161 | Relation indexRel; | ||
162 | Relation heapRel; | ||
163 | + Oid save_userid; | ||
164 | + int save_sec_context; | ||
165 | + int save_nestlevel; | ||
166 | double numSummarized = 0; | ||
167 | |||
168 | if (RecoveryInProgress()) | ||
169 | @@ -899,7 +902,22 @@ brin_summarize_range(PG_FUNCTION_ARGS) | ||
170 | */ | ||
171 | heapoid = IndexGetRelation(indexoid, true); | ||
172 | if (OidIsValid(heapoid)) | ||
173 | + { | ||
174 | heapRel = table_open(heapoid, ShareUpdateExclusiveLock); | ||
175 | + | ||
176 | + /* | ||
177 | + * Autovacuum calls us. For its benefit, switch to the table owner's | ||
178 | + * userid, so that any index functions are run as that user. Also | ||
179 | + * lock down security-restricted operations and arrange to make GUC | ||
180 | + * variable changes local to this command. This is harmless, albeit | ||
181 | + * unnecessary, when called from SQL, because we fail shortly if the | ||
182 | + * user does not own the index. | ||
183 | + */ | ||
184 | + GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
185 | + SetUserIdAndSecContext(heapRel->rd_rel->relowner, | ||
186 | + save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
187 | + save_nestlevel = NewGUCNestLevel(); | ||
188 | + } | ||
189 | else | ||
190 | heapRel = NULL; | ||
191 | |||
192 | @@ -914,7 +932,7 @@ brin_summarize_range(PG_FUNCTION_ARGS) | ||
193 | RelationGetRelationName(indexRel)))); | ||
194 | |||
195 | /* User must own the index (comparable to privileges needed for VACUUM) */ | ||
196 | - if (!pg_class_ownercheck(indexoid, GetUserId())) | ||
197 | + if (heapRel != NULL && !pg_class_ownercheck(indexoid, save_userid)) | ||
198 | aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, | ||
199 | RelationGetRelationName(indexRel)); | ||
200 | |||
201 | @@ -932,6 +950,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) | ||
202 | /* OK, do it */ | ||
203 | brinsummarize(indexRel, heapRel, heapBlk, true, &numSummarized, NULL); | ||
204 | |||
205 | + /* Roll back any GUC changes executed by index functions */ | ||
206 | + AtEOXact_GUC(false, save_nestlevel); | ||
207 | + | ||
208 | + /* Restore userid and security context */ | ||
209 | + SetUserIdAndSecContext(save_userid, save_sec_context); | ||
210 | + | ||
211 | relation_close(indexRel, ShareUpdateExclusiveLock); | ||
212 | relation_close(heapRel, ShareUpdateExclusiveLock); | ||
213 | |||
214 | @@ -973,6 +997,9 @@ brin_desummarize_range(PG_FUNCTION_ARGS) | ||
215 | * passed indexoid isn't an index then IndexGetRelation() will fail. | ||
216 | * Rather than emitting a not-very-helpful error message, postpone | ||
217 | * complaining, expecting that the is-it-an-index test below will fail. | ||
218 | + * | ||
219 | + * Unlike brin_summarize_range(), autovacuum never calls this. Hence, we | ||
220 | + * don't switch userid. | ||
221 | */ | ||
222 | heapoid = IndexGetRelation(indexoid, true); | ||
223 | if (OidIsValid(heapoid)) | ||
224 | diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c | ||
225 | index 3ece136..0333bfd 100644 | ||
226 | --- a/src/backend/catalog/index.c | ||
227 | +++ b/src/backend/catalog/index.c | ||
228 | @@ -1400,6 +1400,9 @@ index_concurrently_build(Oid heapRelationId, | ||
229 | Oid indexRelationId) | ||
230 | { | ||
231 | Relation heapRel; | ||
232 | + Oid save_userid; | ||
233 | + int save_sec_context; | ||
234 | + int save_nestlevel; | ||
235 | Relation indexRelation; | ||
236 | IndexInfo *indexInfo; | ||
237 | |||
238 | @@ -1409,7 +1412,16 @@ index_concurrently_build(Oid heapRelationId, | ||
239 | /* Open and lock the parent heap relation */ | ||
240 | heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); | ||
241 | |||
242 | - /* And the target index relation */ | ||
243 | + /* | ||
244 | + * Switch to the table owner's userid, so that any index functions are run | ||
245 | + * as that user. Also lock down security-restricted operations and | ||
246 | + * arrange to make GUC variable changes local to this command. | ||
247 | + */ | ||
248 | + GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
249 | + SetUserIdAndSecContext(heapRel->rd_rel->relowner, | ||
250 | + save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
251 | + save_nestlevel = NewGUCNestLevel(); | ||
252 | + | ||
253 | indexRelation = index_open(indexRelationId, RowExclusiveLock); | ||
254 | |||
255 | /* | ||
256 | @@ -1425,6 +1437,12 @@ index_concurrently_build(Oid heapRelationId, | ||
257 | /* Now build the index */ | ||
258 | index_build(heapRel, indexRelation, indexInfo, false, true); | ||
259 | |||
260 | + /* Roll back any GUC changes executed by index functions */ | ||
261 | + AtEOXact_GUC(false, save_nestlevel); | ||
262 | + | ||
263 | + /* Restore userid and security context */ | ||
264 | + SetUserIdAndSecContext(save_userid, save_sec_context); | ||
265 | + | ||
266 | /* Close both the relations, but keep the locks */ | ||
267 | table_close(heapRel, NoLock); | ||
268 | index_close(indexRelation, NoLock); | ||
269 | @@ -3271,7 +3289,17 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) | ||
270 | |||
271 | /* Open and lock the parent heap relation */ | ||
272 | heapRelation = table_open(heapId, ShareUpdateExclusiveLock); | ||
273 | - /* And the target index relation */ | ||
274 | + | ||
275 | + /* | ||
276 | + * Switch to the table owner's userid, so that any index functions are run | ||
277 | + * as that user. Also lock down security-restricted operations and | ||
278 | + * arrange to make GUC variable changes local to this command. | ||
279 | + */ | ||
280 | + GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
281 | + SetUserIdAndSecContext(heapRelation->rd_rel->relowner, | ||
282 | + save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
283 | + save_nestlevel = NewGUCNestLevel(); | ||
284 | + | ||
285 | indexRelation = index_open(indexId, RowExclusiveLock); | ||
286 | |||
287 | /* | ||
288 | @@ -3284,16 +3312,6 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) | ||
289 | /* mark build is concurrent just for consistency */ | ||
290 | indexInfo->ii_Concurrent = true; | ||
291 | |||
292 | - /* | ||
293 | - * Switch to the table owner's userid, so that any index functions are run | ||
294 | - * as that user. Also lock down security-restricted operations and | ||
295 | - * arrange to make GUC variable changes local to this command. | ||
296 | - */ | ||
297 | - GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
298 | - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, | ||
299 | - save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
300 | - save_nestlevel = NewGUCNestLevel(); | ||
301 | - | ||
302 | /* | ||
303 | * Scan the index and gather up all the TIDs into a tuplesort object. | ||
304 | */ | ||
305 | @@ -3497,6 +3515,9 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence, | ||
306 | Relation iRel, | ||
307 | heapRelation; | ||
308 | Oid heapId; | ||
309 | + Oid save_userid; | ||
310 | + int save_sec_context; | ||
311 | + int save_nestlevel; | ||
312 | IndexInfo *indexInfo; | ||
313 | volatile bool skipped_constraint = false; | ||
314 | PGRUsage ru0; | ||
315 | @@ -3527,6 +3548,16 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence, | ||
316 | */ | ||
317 | iRel = index_open(indexId, AccessExclusiveLock); | ||
318 | |||
319 | + /* | ||
320 | + * Switch to the table owner's userid, so that any index functions are run | ||
321 | + * as that user. Also lock down security-restricted operations and | ||
322 | + * arrange to make GUC variable changes local to this command. | ||
323 | + */ | ||
324 | + GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
325 | + SetUserIdAndSecContext(heapRelation->rd_rel->relowner, | ||
326 | + save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
327 | + save_nestlevel = NewGUCNestLevel(); | ||
328 | + | ||
329 | if (progress) | ||
330 | pgstat_progress_update_param(PROGRESS_CREATEIDX_ACCESS_METHOD_OID, | ||
331 | iRel->rd_rel->relam); | ||
332 | @@ -3684,12 +3715,18 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence, | ||
333 | errdetail_internal("%s", | ||
334 | pg_rusage_show(&ru0)))); | ||
335 | |||
336 | - if (progress) | ||
337 | - pgstat_progress_end_command(); | ||
338 | + /* Roll back any GUC changes executed by index functions */ | ||
339 | + AtEOXact_GUC(false, save_nestlevel); | ||
340 | + | ||
341 | + /* Restore userid and security context */ | ||
342 | + SetUserIdAndSecContext(save_userid, save_sec_context); | ||
343 | |||
344 | /* Close rels, but keep locks */ | ||
345 | index_close(iRel, NoLock); | ||
346 | table_close(heapRelation, NoLock); | ||
347 | + | ||
348 | + if (progress) | ||
349 | + pgstat_progress_end_command(); | ||
350 | } | ||
351 | |||
352 | /* | ||
353 | diff --git a/src/backend/commands/cluster.c b/src/backend/commands/cluster.c | ||
354 | index bd6f408..74db03e 100644 | ||
355 | --- a/src/backend/commands/cluster.c | ||
356 | +++ b/src/backend/commands/cluster.c | ||
357 | @@ -266,6 +266,9 @@ void | ||
358 | cluster_rel(Oid tableOid, Oid indexOid, int options) | ||
359 | { | ||
360 | Relation OldHeap; | ||
361 | + Oid save_userid; | ||
362 | + int save_sec_context; | ||
363 | + int save_nestlevel; | ||
364 | bool verbose = ((options & CLUOPT_VERBOSE) != 0); | ||
365 | bool recheck = ((options & CLUOPT_RECHECK) != 0); | ||
366 | |||
367 | @@ -295,6 +298,16 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) | ||
368 | return; | ||
369 | } | ||
370 | |||
371 | + /* | ||
372 | + * Switch to the table owner's userid, so that any index functions are run | ||
373 | + * as that user. Also lock down security-restricted operations and | ||
374 | + * arrange to make GUC variable changes local to this command. | ||
375 | + */ | ||
376 | + GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
377 | + SetUserIdAndSecContext(OldHeap->rd_rel->relowner, | ||
378 | + save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
379 | + save_nestlevel = NewGUCNestLevel(); | ||
380 | + | ||
381 | /* | ||
382 | * Since we may open a new transaction for each relation, we have to check | ||
383 | * that the relation still is what we think it is. | ||
384 | @@ -309,11 +322,10 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) | ||
385 | Form_pg_index indexForm; | ||
386 | |||
387 | /* Check that the user still owns the relation */ | ||
388 | - if (!pg_class_ownercheck(tableOid, GetUserId())) | ||
389 | + if (!pg_class_ownercheck(tableOid, save_userid)) | ||
390 | { | ||
391 | relation_close(OldHeap, AccessExclusiveLock); | ||
392 | - pgstat_progress_end_command(); | ||
393 | - return; | ||
394 | + goto out; | ||
395 | } | ||
396 | |||
397 | /* | ||
398 | @@ -327,8 +339,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) | ||
399 | if (RELATION_IS_OTHER_TEMP(OldHeap)) | ||
400 | { | ||
401 | relation_close(OldHeap, AccessExclusiveLock); | ||
402 | - pgstat_progress_end_command(); | ||
403 | - return; | ||
404 | + goto out; | ||
405 | } | ||
406 | |||
407 | if (OidIsValid(indexOid)) | ||
408 | @@ -339,8 +350,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) | ||
409 | if (!SearchSysCacheExists1(RELOID, ObjectIdGetDatum(indexOid))) | ||
410 | { | ||
411 | relation_close(OldHeap, AccessExclusiveLock); | ||
412 | - pgstat_progress_end_command(); | ||
413 | - return; | ||
414 | + goto out; | ||
415 | } | ||
416 | |||
417 | /* | ||
418 | @@ -350,8 +360,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) | ||
419 | if (!HeapTupleIsValid(tuple)) /* probably can't happen */ | ||
420 | { | ||
421 | relation_close(OldHeap, AccessExclusiveLock); | ||
422 | - pgstat_progress_end_command(); | ||
423 | - return; | ||
424 | + goto out; | ||
425 | } | ||
426 | indexForm = (Form_pg_index) GETSTRUCT(tuple); | ||
427 | if (!indexForm->indisclustered) | ||
428 | @@ -413,8 +422,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) | ||
429 | !RelationIsPopulated(OldHeap)) | ||
430 | { | ||
431 | relation_close(OldHeap, AccessExclusiveLock); | ||
432 | - pgstat_progress_end_command(); | ||
433 | - return; | ||
434 | + goto out; | ||
435 | } | ||
436 | |||
437 | /* | ||
438 | @@ -430,6 +438,13 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) | ||
439 | |||
440 | /* NB: rebuild_relation does table_close() on OldHeap */ | ||
441 | |||
442 | +out: | ||
443 | + /* Roll back any GUC changes executed by index functions */ | ||
444 | + AtEOXact_GUC(false, save_nestlevel); | ||
445 | + | ||
446 | + /* Restore userid and security context */ | ||
447 | + SetUserIdAndSecContext(save_userid, save_sec_context); | ||
448 | + | ||
449 | pgstat_progress_end_command(); | ||
450 | } | ||
451 | |||
452 | diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c | ||
453 | index be1cf8c..167b377 100644 | ||
454 | --- a/src/backend/commands/indexcmds.c | ||
455 | +++ b/src/backend/commands/indexcmds.c | ||
456 | @@ -470,21 +470,22 @@ DefineIndex(Oid relationId, | ||
457 | LOCKTAG heaplocktag; | ||
458 | LOCKMODE lockmode; | ||
459 | Snapshot snapshot; | ||
460 | - int save_nestlevel = -1; | ||
461 | + Oid root_save_userid; | ||
462 | + int root_save_sec_context; | ||
463 | + int root_save_nestlevel; | ||
464 | int i; | ||
465 | |||
466 | + root_save_nestlevel = NewGUCNestLevel(); | ||
467 | + | ||
468 | /* | ||
469 | * Some callers need us to run with an empty default_tablespace; this is a | ||
470 | * necessary hack to be able to reproduce catalog state accurately when | ||
471 | * recreating indexes after table-rewriting ALTER TABLE. | ||
472 | */ | ||
473 | if (stmt->reset_default_tblspc) | ||
474 | - { | ||
475 | - save_nestlevel = NewGUCNestLevel(); | ||
476 | (void) set_config_option("default_tablespace", "", | ||
477 | PGC_USERSET, PGC_S_SESSION, | ||
478 | GUC_ACTION_SAVE, true, 0, false); | ||
479 | - } | ||
480 | |||
481 | /* | ||
482 | * Force non-concurrent build on temporary relations, even if CONCURRENTLY | ||
483 | @@ -563,6 +564,15 @@ DefineIndex(Oid relationId, | ||
484 | lockmode = concurrent ? ShareUpdateExclusiveLock : ShareLock; | ||
485 | rel = table_open(relationId, lockmode); | ||
486 | |||
487 | + /* | ||
488 | + * Switch to the table owner's userid, so that any index functions are run | ||
489 | + * as that user. Also lock down security-restricted operations. We | ||
490 | + * already arranged to make GUC variable changes local to this command. | ||
491 | + */ | ||
492 | + GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); | ||
493 | + SetUserIdAndSecContext(rel->rd_rel->relowner, | ||
494 | + root_save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
495 | + | ||
496 | namespaceId = RelationGetNamespace(rel); | ||
497 | |||
498 | /* Ensure that it makes sense to index this kind of relation */ | ||
499 | @@ -648,7 +658,7 @@ DefineIndex(Oid relationId, | ||
500 | { | ||
501 | AclResult aclresult; | ||
502 | |||
503 | - aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), | ||
504 | + aclresult = pg_namespace_aclcheck(namespaceId, root_save_userid, | ||
505 | ACL_CREATE); | ||
506 | if (aclresult != ACLCHECK_OK) | ||
507 | aclcheck_error(aclresult, OBJECT_SCHEMA, | ||
508 | @@ -680,7 +690,7 @@ DefineIndex(Oid relationId, | ||
509 | { | ||
510 | AclResult aclresult; | ||
511 | |||
512 | - aclresult = pg_tablespace_aclcheck(tablespaceId, GetUserId(), | ||
513 | + aclresult = pg_tablespace_aclcheck(tablespaceId, root_save_userid, | ||
514 | ACL_CREATE); | ||
515 | if (aclresult != ACLCHECK_OK) | ||
516 | aclcheck_error(aclresult, OBJECT_TABLESPACE, | ||
517 | @@ -1066,15 +1076,17 @@ DefineIndex(Oid relationId, | ||
518 | |||
519 | ObjectAddressSet(address, RelationRelationId, indexRelationId); | ||
520 | |||
521 | - /* | ||
522 | - * Revert to original default_tablespace. Must do this before any return | ||
523 | - * from this function, but after index_create, so this is a good time. | ||
524 | - */ | ||
525 | - if (save_nestlevel >= 0) | ||
526 | - AtEOXact_GUC(true, save_nestlevel); | ||
527 | - | ||
528 | if (!OidIsValid(indexRelationId)) | ||
529 | { | ||
530 | + /* | ||
531 | + * Roll back any GUC changes executed by index functions. Also revert | ||
532 | + * to original default_tablespace if we changed it above. | ||
533 | + */ | ||
534 | + AtEOXact_GUC(false, root_save_nestlevel); | ||
535 | + | ||
536 | + /* Restore userid and security context */ | ||
537 | + SetUserIdAndSecContext(root_save_userid, root_save_sec_context); | ||
538 | + | ||
539 | table_close(rel, NoLock); | ||
540 | |||
541 | /* If this is the top-level index, we're done */ | ||
542 | @@ -1084,6 +1096,17 @@ DefineIndex(Oid relationId, | ||
543 | return address; | ||
544 | } | ||
545 | |||
546 | + /* | ||
547 | + * Roll back any GUC changes executed by index functions, and keep | ||
548 | + * subsequent changes local to this command. It's barely possible that | ||
549 | + * some index function changed a behavior-affecting GUC, e.g. xmloption, | ||
550 | + * that affects subsequent steps. This improves bug-compatibility with | ||
551 | + * older PostgreSQL versions. They did the AtEOXact_GUC() here for the | ||
552 | + * purpose of clearing the above default_tablespace change. | ||
553 | + */ | ||
554 | + AtEOXact_GUC(false, root_save_nestlevel); | ||
555 | + root_save_nestlevel = NewGUCNestLevel(); | ||
556 | + | ||
557 | /* Add any requested comment */ | ||
558 | if (stmt->idxcomment != NULL) | ||
559 | CreateComments(indexRelationId, RelationRelationId, 0, | ||
560 | @@ -1130,6 +1153,9 @@ DefineIndex(Oid relationId, | ||
561 | { | ||
562 | Oid childRelid = part_oids[i]; | ||
563 | Relation childrel; | ||
564 | + Oid child_save_userid; | ||
565 | + int child_save_sec_context; | ||
566 | + int child_save_nestlevel; | ||
567 | List *childidxs; | ||
568 | ListCell *cell; | ||
569 | AttrNumber *attmap; | ||
570 | @@ -1138,6 +1164,12 @@ DefineIndex(Oid relationId, | ||
571 | |||
572 | childrel = table_open(childRelid, lockmode); | ||
573 | |||
574 | + GetUserIdAndSecContext(&child_save_userid, | ||
575 | + &child_save_sec_context); | ||
576 | + SetUserIdAndSecContext(childrel->rd_rel->relowner, | ||
577 | + child_save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
578 | + child_save_nestlevel = NewGUCNestLevel(); | ||
579 | + | ||
580 | /* | ||
581 | * Don't try to create indexes on foreign tables, though. Skip | ||
582 | * those if a regular index, or fail if trying to create a | ||
583 | @@ -1153,6 +1185,9 @@ DefineIndex(Oid relationId, | ||
584 | errdetail("Table \"%s\" contains partitions that are foreign tables.", | ||
585 | RelationGetRelationName(rel)))); | ||
586 | |||
587 | + AtEOXact_GUC(false, child_save_nestlevel); | ||
588 | + SetUserIdAndSecContext(child_save_userid, | ||
589 | + child_save_sec_context); | ||
590 | table_close(childrel, lockmode); | ||
591 | continue; | ||
592 | } | ||
593 | @@ -1226,6 +1261,9 @@ DefineIndex(Oid relationId, | ||
594 | } | ||
595 | |||
596 | list_free(childidxs); | ||
597 | + AtEOXact_GUC(false, child_save_nestlevel); | ||
598 | + SetUserIdAndSecContext(child_save_userid, | ||
599 | + child_save_sec_context); | ||
600 | table_close(childrel, NoLock); | ||
601 | |||
602 | /* | ||
603 | @@ -1280,12 +1318,21 @@ DefineIndex(Oid relationId, | ||
604 | if (found_whole_row) | ||
605 | elog(ERROR, "cannot convert whole-row table reference"); | ||
606 | |||
607 | + /* | ||
608 | + * Recurse as the starting user ID. Callee will use that | ||
609 | + * for permission checks, then switch again. | ||
610 | + */ | ||
611 | + Assert(GetUserId() == child_save_userid); | ||
612 | + SetUserIdAndSecContext(root_save_userid, | ||
613 | + root_save_sec_context); | ||
614 | DefineIndex(childRelid, childStmt, | ||
615 | InvalidOid, /* no predefined OID */ | ||
616 | indexRelationId, /* this is our child */ | ||
617 | createdConstraintId, | ||
618 | is_alter_table, check_rights, check_not_in_use, | ||
619 | skip_build, quiet); | ||
620 | + SetUserIdAndSecContext(child_save_userid, | ||
621 | + child_save_sec_context); | ||
622 | } | ||
623 | |||
624 | pgstat_progress_update_param(PROGRESS_CREATEIDX_PARTITIONS_DONE, | ||
625 | @@ -1322,12 +1369,17 @@ DefineIndex(Oid relationId, | ||
626 | * Indexes on partitioned tables are not themselves built, so we're | ||
627 | * done here. | ||
628 | */ | ||
629 | + AtEOXact_GUC(false, root_save_nestlevel); | ||
630 | + SetUserIdAndSecContext(root_save_userid, root_save_sec_context); | ||
631 | table_close(rel, NoLock); | ||
632 | if (!OidIsValid(parentIndexId)) | ||
633 | pgstat_progress_end_command(); | ||
634 | return address; | ||
635 | } | ||
636 | |||
637 | + AtEOXact_GUC(false, root_save_nestlevel); | ||
638 | + SetUserIdAndSecContext(root_save_userid, root_save_sec_context); | ||
639 | + | ||
640 | if (!concurrent) | ||
641 | { | ||
642 | /* Close the heap and we're done, in the non-concurrent case */ | ||
643 | @@ -3040,6 +3092,9 @@ ReindexRelationConcurrently(Oid relationOid, int options) | ||
644 | Oid newIndexId; | ||
645 | Relation indexRel; | ||
646 | Relation heapRel; | ||
647 | + Oid save_userid; | ||
648 | + int save_sec_context; | ||
649 | + int save_nestlevel; | ||
650 | Relation newIndexRel; | ||
651 | LockRelId *lockrelid; | ||
652 | |||
653 | @@ -3047,6 +3102,16 @@ ReindexRelationConcurrently(Oid relationOid, int options) | ||
654 | heapRel = table_open(indexRel->rd_index->indrelid, | ||
655 | ShareUpdateExclusiveLock); | ||
656 | |||
657 | + /* | ||
658 | + * Switch to the table owner's userid, so that any index functions are | ||
659 | + * run as that user. Also lock down security-restricted operations | ||
660 | + * and arrange to make GUC variable changes local to this command. | ||
661 | + */ | ||
662 | + GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
663 | + SetUserIdAndSecContext(heapRel->rd_rel->relowner, | ||
664 | + save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
665 | + save_nestlevel = NewGUCNestLevel(); | ||
666 | + | ||
667 | /* This function shouldn't be called for temporary relations. */ | ||
668 | if (indexRel->rd_rel->relpersistence == RELPERSISTENCE_TEMP) | ||
669 | elog(ERROR, "cannot reindex a temporary table concurrently"); | ||
670 | @@ -3101,6 +3166,13 @@ ReindexRelationConcurrently(Oid relationOid, int options) | ||
671 | |||
672 | index_close(indexRel, NoLock); | ||
673 | index_close(newIndexRel, NoLock); | ||
674 | + | ||
675 | + /* Roll back any GUC changes executed by index functions */ | ||
676 | + AtEOXact_GUC(false, save_nestlevel); | ||
677 | + | ||
678 | + /* Restore userid and security context */ | ||
679 | + SetUserIdAndSecContext(save_userid, save_sec_context); | ||
680 | + | ||
681 | table_close(heapRel, NoLock); | ||
682 | } | ||
683 | |||
684 | diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c | ||
685 | index 80e9ec0..e485661 100644 | ||
686 | --- a/src/backend/commands/matview.c | ||
687 | +++ b/src/backend/commands/matview.c | ||
688 | @@ -167,6 +167,17 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString, | ||
689 | lockmode, 0, | ||
690 | RangeVarCallbackOwnsTable, NULL); | ||
691 | matviewRel = table_open(matviewOid, NoLock); | ||
692 | + relowner = matviewRel->rd_rel->relowner; | ||
693 | + | ||
694 | + /* | ||
695 | + * Switch to the owner's userid, so that any functions are run as that | ||
696 | + * user. Also lock down security-restricted operations and arrange to | ||
697 | + * make GUC variable changes local to this command. | ||
698 | + */ | ||
699 | + GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
700 | + SetUserIdAndSecContext(relowner, | ||
701 | + save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
702 | + save_nestlevel = NewGUCNestLevel(); | ||
703 | |||
704 | /* Make sure it is a materialized view. */ | ||
705 | if (matviewRel->rd_rel->relkind != RELKIND_MATVIEW) | ||
706 | @@ -268,19 +279,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString, | ||
707 | */ | ||
708 | SetMatViewPopulatedState(matviewRel, !stmt->skipData); | ||
709 | |||
710 | - relowner = matviewRel->rd_rel->relowner; | ||
711 | - | ||
712 | - /* | ||
713 | - * Switch to the owner's userid, so that any functions are run as that | ||
714 | - * user. Also arrange to make GUC variable changes local to this command. | ||
715 | - * Don't lock it down too tight to create a temporary table just yet. We | ||
716 | - * will switch modes when we are about to execute user code. | ||
717 | - */ | ||
718 | - GetUserIdAndSecContext(&save_userid, &save_sec_context); | ||
719 | - SetUserIdAndSecContext(relowner, | ||
720 | - save_sec_context | SECURITY_LOCAL_USERID_CHANGE); | ||
721 | - save_nestlevel = NewGUCNestLevel(); | ||
722 | - | ||
723 | /* Concurrent refresh builds new data in temp tablespace, and does diff. */ | ||
724 | if (concurrent) | ||
725 | { | ||
726 | @@ -303,12 +301,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString, | ||
727 | LockRelationOid(OIDNewHeap, AccessExclusiveLock); | ||
728 | dest = CreateTransientRelDestReceiver(OIDNewHeap); | ||
729 | |||
730 | - /* | ||
731 | - * Now lock down security-restricted operations. | ||
732 | - */ | ||
733 | - SetUserIdAndSecContext(relowner, | ||
734 | - save_sec_context | SECURITY_RESTRICTED_OPERATION); | ||
735 | - | ||
736 | /* Generate the data, if wanted. */ | ||
737 | if (!stmt->skipData) | ||
738 | processed = refresh_matview_datafill(dest, dataQuery, queryString); | ||
739 | diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c | ||
740 | index de554e2..c9f858e 100644 | ||
741 | --- a/src/backend/utils/init/miscinit.c | ||
742 | +++ b/src/backend/utils/init/miscinit.c | ||
743 | @@ -455,15 +455,21 @@ GetAuthenticatedUserId(void) | ||
744 | * with guc.c's internal state, so SET ROLE has to be disallowed. | ||
745 | * | ||
746 | * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation | ||
747 | - * that does not wish to trust called user-defined functions at all. This | ||
748 | - * bit prevents not only SET ROLE, but various other changes of session state | ||
749 | - * that normally is unprotected but might possibly be used to subvert the | ||
750 | - * calling session later. An example is replacing an existing prepared | ||
751 | - * statement with new code, which will then be executed with the outer | ||
752 | - * session's permissions when the prepared statement is next used. Since | ||
753 | - * these restrictions are fairly draconian, we apply them only in contexts | ||
754 | - * where the called functions are really supposed to be side-effect-free | ||
755 | - * anyway, such as VACUUM/ANALYZE/REINDEX. | ||
756 | + * that does not wish to trust called user-defined functions at all. The | ||
757 | + * policy is to use this before operations, e.g. autovacuum and REINDEX, that | ||
758 | + * enumerate relations of a database or schema and run functions associated | ||
759 | + * with each found relation. The relation owner is the new user ID. Set this | ||
760 | + * as soon as possible after locking the relation. Restore the old user ID as | ||
761 | + * late as possible before closing the relation; restoring it shortly after | ||
762 | + * close is also tolerable. If a command has both relation-enumerating and | ||
763 | + * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit | ||
764 | + * prevents not only SET ROLE, but various other changes of session state that | ||
765 | + * normally is unprotected but might possibly be used to subvert the calling | ||
766 | + * session later. An example is replacing an existing prepared statement with | ||
767 | + * new code, which will then be executed with the outer session's permissions | ||
768 | + * when the prepared statement is next used. These restrictions are fairly | ||
769 | + * draconian, but the functions called in relation-enumerating operations are | ||
770 | + * really supposed to be side-effect-free anyway. | ||
771 | * | ||
772 | * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should | ||
773 | * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to | ||
774 | diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out | ||
775 | index 186d2fb..0f0c1b3 100644 | ||
776 | --- a/src/test/regress/expected/privileges.out | ||
777 | +++ b/src/test/regress/expected/privileges.out | ||
778 | @@ -1336,6 +1336,61 @@ SELECT has_table_privilege('regress_priv_user1', 'atest4', 'SELECT WITH GRANT OP | ||
779 | -- security-restricted operations | ||
780 | \c - | ||
781 | CREATE ROLE regress_sro_user; | ||
782 | +-- Check that index expressions and predicates are run as the table's owner | ||
783 | +-- A dummy index function checking current_user | ||
784 | +CREATE FUNCTION sro_ifun(int) RETURNS int AS $$ | ||
785 | +BEGIN | ||
786 | + -- Below we set the table's owner to regress_sro_user | ||
787 | + ASSERT current_user = 'regress_sro_user', | ||
788 | + format('sro_ifun(%s) called by %s', $1, current_user); | ||
789 | + RETURN $1; | ||
790 | +END; | ||
791 | +$$ LANGUAGE plpgsql IMMUTABLE; | ||
792 | +-- Create a table owned by regress_sro_user | ||
793 | +CREATE TABLE sro_tab (a int); | ||
794 | +ALTER TABLE sro_tab OWNER TO regress_sro_user; | ||
795 | +INSERT INTO sro_tab VALUES (1), (2), (3); | ||
796 | +-- Create an expression index with a predicate | ||
797 | +CREATE INDEX sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))) | ||
798 | + WHERE sro_ifun(a + 10) > sro_ifun(10); | ||
799 | +DROP INDEX sro_idx; | ||
800 | +-- Do the same concurrently | ||
801 | +CREATE INDEX CONCURRENTLY sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))) | ||
802 | + WHERE sro_ifun(a + 10) > sro_ifun(10); | ||
803 | +-- REINDEX | ||
804 | +REINDEX TABLE sro_tab; | ||
805 | +REINDEX INDEX sro_idx; | ||
806 | +REINDEX TABLE CONCURRENTLY sro_tab; | ||
807 | +DROP INDEX sro_idx; | ||
808 | +-- CLUSTER | ||
809 | +CREATE INDEX sro_cluster_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))); | ||
810 | +CLUSTER sro_tab USING sro_cluster_idx; | ||
811 | +DROP INDEX sro_cluster_idx; | ||
812 | +-- BRIN index | ||
813 | +CREATE INDEX sro_brin ON sro_tab USING brin ((sro_ifun(a) + sro_ifun(0))); | ||
814 | +SELECT brin_desummarize_range('sro_brin', 0); | ||
815 | + brin_desummarize_range | ||
816 | +------------------------ | ||
817 | + | ||
818 | +(1 row) | ||
819 | + | ||
820 | +SELECT brin_summarize_range('sro_brin', 0); | ||
821 | + brin_summarize_range | ||
822 | +---------------------- | ||
823 | + 1 | ||
824 | +(1 row) | ||
825 | + | ||
826 | +DROP TABLE sro_tab; | ||
827 | +-- Check with a partitioned table | ||
828 | +CREATE TABLE sro_ptab (a int) PARTITION BY RANGE (a); | ||
829 | +ALTER TABLE sro_ptab OWNER TO regress_sro_user; | ||
830 | +CREATE TABLE sro_part PARTITION OF sro_ptab FOR VALUES FROM (1) TO (10); | ||
831 | +ALTER TABLE sro_part OWNER TO regress_sro_user; | ||
832 | +INSERT INTO sro_ptab VALUES (1), (2), (3); | ||
833 | +CREATE INDEX sro_pidx ON sro_ptab ((sro_ifun(a) + sro_ifun(0))) | ||
834 | + WHERE sro_ifun(a + 10) > sro_ifun(10); | ||
835 | +REINDEX TABLE sro_ptab; | ||
836 | +REINDEX INDEX CONCURRENTLY sro_pidx; | ||
837 | SET SESSION AUTHORIZATION regress_sro_user; | ||
838 | CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS | ||
839 | 'GRANT regress_priv_group2 TO regress_sro_user'; | ||
840 | @@ -1373,6 +1428,22 @@ CONTEXT: SQL function "unwanted_grant" statement 1 | ||
841 | SQL statement "SELECT unwanted_grant()" | ||
842 | PL/pgSQL function sro_trojan() line 1 at PERFORM | ||
843 | SQL function "mv_action" statement 1 | ||
844 | +-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions() | ||
845 | +SET SESSION AUTHORIZATION regress_sro_user; | ||
846 | +CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int | ||
847 | + IMMUTABLE LANGUAGE plpgsql AS $$ | ||
848 | +BEGIN | ||
849 | + PERFORM unwanted_grant(); | ||
850 | + RAISE WARNING 'owned'; | ||
851 | + RETURN 1; | ||
852 | +EXCEPTION WHEN OTHERS THEN | ||
853 | + RETURN 2; | ||
854 | +END$$; | ||
855 | +CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c; | ||
856 | +CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0; | ||
857 | +\c - | ||
858 | +REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv; | ||
859 | +REFRESH MATERIALIZED VIEW sro_index_mv; | ||
860 | DROP OWNED BY regress_sro_user; | ||
861 | DROP ROLE regress_sro_user; | ||
862 | -- Admin options | ||
863 | diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql | ||
864 | index 34fbf0e..c0b88a6 100644 | ||
865 | --- a/src/test/regress/sql/privileges.sql | ||
866 | +++ b/src/test/regress/sql/privileges.sql | ||
867 | @@ -826,6 +826,53 @@ SELECT has_table_privilege('regress_priv_user1', 'atest4', 'SELECT WITH GRANT OP | ||
868 | \c - | ||
869 | CREATE ROLE regress_sro_user; | ||
870 | |||
871 | +-- Check that index expressions and predicates are run as the table's owner | ||
872 | + | ||
873 | +-- A dummy index function checking current_user | ||
874 | +CREATE FUNCTION sro_ifun(int) RETURNS int AS $$ | ||
875 | +BEGIN | ||
876 | + -- Below we set the table's owner to regress_sro_user | ||
877 | + ASSERT current_user = 'regress_sro_user', | ||
878 | + format('sro_ifun(%s) called by %s', $1, current_user); | ||
879 | + RETURN $1; | ||
880 | +END; | ||
881 | +$$ LANGUAGE plpgsql IMMUTABLE; | ||
882 | +-- Create a table owned by regress_sro_user | ||
883 | +CREATE TABLE sro_tab (a int); | ||
884 | +ALTER TABLE sro_tab OWNER TO regress_sro_user; | ||
885 | +INSERT INTO sro_tab VALUES (1), (2), (3); | ||
886 | +-- Create an expression index with a predicate | ||
887 | +CREATE INDEX sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))) | ||
888 | + WHERE sro_ifun(a + 10) > sro_ifun(10); | ||
889 | +DROP INDEX sro_idx; | ||
890 | +-- Do the same concurrently | ||
891 | +CREATE INDEX CONCURRENTLY sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))) | ||
892 | + WHERE sro_ifun(a + 10) > sro_ifun(10); | ||
893 | +-- REINDEX | ||
894 | +REINDEX TABLE sro_tab; | ||
895 | +REINDEX INDEX sro_idx; | ||
896 | +REINDEX TABLE CONCURRENTLY sro_tab; | ||
897 | +DROP INDEX sro_idx; | ||
898 | +-- CLUSTER | ||
899 | +CREATE INDEX sro_cluster_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))); | ||
900 | +CLUSTER sro_tab USING sro_cluster_idx; | ||
901 | +DROP INDEX sro_cluster_idx; | ||
902 | +-- BRIN index | ||
903 | +CREATE INDEX sro_brin ON sro_tab USING brin ((sro_ifun(a) + sro_ifun(0))); | ||
904 | +SELECT brin_desummarize_range('sro_brin', 0); | ||
905 | +SELECT brin_summarize_range('sro_brin', 0); | ||
906 | +DROP TABLE sro_tab; | ||
907 | +-- Check with a partitioned table | ||
908 | +CREATE TABLE sro_ptab (a int) PARTITION BY RANGE (a); | ||
909 | +ALTER TABLE sro_ptab OWNER TO regress_sro_user; | ||
910 | +CREATE TABLE sro_part PARTITION OF sro_ptab FOR VALUES FROM (1) TO (10); | ||
911 | +ALTER TABLE sro_part OWNER TO regress_sro_user; | ||
912 | +INSERT INTO sro_ptab VALUES (1), (2), (3); | ||
913 | +CREATE INDEX sro_pidx ON sro_ptab ((sro_ifun(a) + sro_ifun(0))) | ||
914 | + WHERE sro_ifun(a + 10) > sro_ifun(10); | ||
915 | +REINDEX TABLE sro_ptab; | ||
916 | +REINDEX INDEX CONCURRENTLY sro_pidx; | ||
917 | + | ||
918 | SET SESSION AUTHORIZATION regress_sro_user; | ||
919 | CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS | ||
920 | 'GRANT regress_priv_group2 TO regress_sro_user'; | ||
921 | @@ -852,6 +899,23 @@ REFRESH MATERIALIZED VIEW sro_mv; | ||
922 | REFRESH MATERIALIZED VIEW sro_mv; | ||
923 | BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT; | ||
924 | |||
925 | +-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions() | ||
926 | +SET SESSION AUTHORIZATION regress_sro_user; | ||
927 | +CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int | ||
928 | + IMMUTABLE LANGUAGE plpgsql AS $$ | ||
929 | +BEGIN | ||
930 | + PERFORM unwanted_grant(); | ||
931 | + RAISE WARNING 'owned'; | ||
932 | + RETURN 1; | ||
933 | +EXCEPTION WHEN OTHERS THEN | ||
934 | + RETURN 2; | ||
935 | +END$$; | ||
936 | +CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c; | ||
937 | +CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0; | ||
938 | +\c - | ||
939 | +REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv; | ||
940 | +REFRESH MATERIALIZED VIEW sro_index_mv; | ||
941 | + | ||
942 | DROP OWNED BY regress_sro_user; | ||
943 | DROP ROLE regress_sro_user; | ||
944 | |||
945 | -- | ||
946 | 2.25.1 | ||
947 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch deleted file mode 100644 index 6417d8a2b..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch +++ /dev/null | |||
@@ -1,904 +0,0 @@ | |||
1 | From 84375c1db25ef650902cf80712495fc514b0ff63 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 13 Oct 2022 10:35:32 +0530 | ||
4 | Subject: [PATCH] CVE-2022-2625 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89] | ||
7 | CVE: CVE-2022-2625 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | doc/src/sgml/extend.sgml | 11 -- | ||
11 | src/backend/catalog/pg_collation.c | 49 ++++-- | ||
12 | src/backend/catalog/pg_depend.c | 74 ++++++++- | ||
13 | src/backend/catalog/pg_operator.c | 2 +- | ||
14 | src/backend/catalog/pg_type.c | 7 +- | ||
15 | src/backend/commands/createas.c | 18 ++- | ||
16 | src/backend/commands/foreigncmds.c | 19 ++- | ||
17 | src/backend/commands/schemacmds.c | 25 ++- | ||
18 | src/backend/commands/sequence.c | 8 + | ||
19 | src/backend/commands/statscmds.c | 4 + | ||
20 | src/backend/commands/view.c | 16 +- | ||
21 | src/backend/parser/parse_utilcmd.c | 10 ++ | ||
22 | src/include/catalog/dependency.h | 2 + | ||
23 | src/test/modules/test_extensions/Makefile | 5 +- | ||
24 | .../expected/test_extensions.out | 153 ++++++++++++++++++ | ||
25 | .../test_extensions/sql/test_extensions.sql | 110 +++++++++++++ | ||
26 | .../test_ext_cine--1.0--1.1.sql | 26 +++ | ||
27 | .../test_extensions/test_ext_cine--1.0.sql | 25 +++ | ||
28 | .../test_extensions/test_ext_cine.control | 3 + | ||
29 | .../test_extensions/test_ext_cor--1.0.sql | 20 +++ | ||
30 | .../test_extensions/test_ext_cor.control | 3 + | ||
31 | 21 files changed, 540 insertions(+), 50 deletions(-) | ||
32 | create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql | ||
33 | create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0.sql | ||
34 | create mode 100644 src/test/modules/test_extensions/test_ext_cine.control | ||
35 | create mode 100644 src/test/modules/test_extensions/test_ext_cor--1.0.sql | ||
36 | create mode 100644 src/test/modules/test_extensions/test_ext_cor.control | ||
37 | |||
38 | diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml | ||
39 | index 53f2638..bcc7a80 100644 | ||
40 | --- a/doc/src/sgml/extend.sgml | ||
41 | +++ b/doc/src/sgml/extend.sgml | ||
42 | @@ -1109,17 +1109,6 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl | ||
43 | <varname>search_path</varname>. However, no mechanism currently exists | ||
44 | to require that. | ||
45 | </para> | ||
46 | - | ||
47 | - <para> | ||
48 | - Do <emphasis>not</emphasis> use <command>CREATE OR REPLACE | ||
49 | - FUNCTION</command>, except in an update script that must change the | ||
50 | - definition of a function that is known to be an extension member | ||
51 | - already. (Likewise for other <literal>OR REPLACE</literal> options.) | ||
52 | - Using <literal>OR REPLACE</literal> unnecessarily not only has a risk | ||
53 | - of accidentally overwriting someone else's function, but it creates a | ||
54 | - security hazard since the overwritten function would still be owned by | ||
55 | - its original owner, who could modify it. | ||
56 | - </para> | ||
57 | </sect3> | ||
58 | </sect2> | ||
59 | |||
60 | diff --git a/src/backend/catalog/pg_collation.c b/src/backend/catalog/pg_collation.c | ||
61 | index dd99d53..ba4c3ef 100644 | ||
62 | --- a/src/backend/catalog/pg_collation.c | ||
63 | +++ b/src/backend/catalog/pg_collation.c | ||
64 | @@ -78,15 +78,25 @@ CollationCreate(const char *collname, Oid collnamespace, | ||
65 | * friendlier error message. The unique index provides a backstop against | ||
66 | * race conditions. | ||
67 | */ | ||
68 | - if (SearchSysCacheExists3(COLLNAMEENCNSP, | ||
69 | - PointerGetDatum(collname), | ||
70 | - Int32GetDatum(collencoding), | ||
71 | - ObjectIdGetDatum(collnamespace))) | ||
72 | + oid = GetSysCacheOid3(COLLNAMEENCNSP, | ||
73 | + Anum_pg_collation_oid, | ||
74 | + PointerGetDatum(collname), | ||
75 | + Int32GetDatum(collencoding), | ||
76 | + ObjectIdGetDatum(collnamespace)); | ||
77 | + if (OidIsValid(oid)) | ||
78 | { | ||
79 | if (quiet) | ||
80 | return InvalidOid; | ||
81 | else if (if_not_exists) | ||
82 | { | ||
83 | + /* | ||
84 | + * If we are in an extension script, insist that the pre-existing | ||
85 | + * object be a member of the extension, to avoid security risks. | ||
86 | + */ | ||
87 | + ObjectAddressSet(myself, CollationRelationId, oid); | ||
88 | + checkMembershipInCurrentExtension(&myself); | ||
89 | + | ||
90 | + /* OK to skip */ | ||
91 | ereport(NOTICE, | ||
92 | (errcode(ERRCODE_DUPLICATE_OBJECT), | ||
93 | collencoding == -1 | ||
94 | @@ -116,16 +126,19 @@ CollationCreate(const char *collname, Oid collnamespace, | ||
95 | * so we take a ShareRowExclusiveLock earlier, to protect against | ||
96 | * concurrent changes fooling this check. | ||
97 | */ | ||
98 | - if ((collencoding == -1 && | ||
99 | - SearchSysCacheExists3(COLLNAMEENCNSP, | ||
100 | - PointerGetDatum(collname), | ||
101 | - Int32GetDatum(GetDatabaseEncoding()), | ||
102 | - ObjectIdGetDatum(collnamespace))) || | ||
103 | - (collencoding != -1 && | ||
104 | - SearchSysCacheExists3(COLLNAMEENCNSP, | ||
105 | - PointerGetDatum(collname), | ||
106 | - Int32GetDatum(-1), | ||
107 | - ObjectIdGetDatum(collnamespace)))) | ||
108 | + if (collencoding == -1) | ||
109 | + oid = GetSysCacheOid3(COLLNAMEENCNSP, | ||
110 | + Anum_pg_collation_oid, | ||
111 | + PointerGetDatum(collname), | ||
112 | + Int32GetDatum(GetDatabaseEncoding()), | ||
113 | + ObjectIdGetDatum(collnamespace)); | ||
114 | + else | ||
115 | + oid = GetSysCacheOid3(COLLNAMEENCNSP, | ||
116 | + Anum_pg_collation_oid, | ||
117 | + PointerGetDatum(collname), | ||
118 | + Int32GetDatum(-1), | ||
119 | + ObjectIdGetDatum(collnamespace)); | ||
120 | + if (OidIsValid(oid)) | ||
121 | { | ||
122 | if (quiet) | ||
123 | { | ||
124 | @@ -134,6 +147,14 @@ CollationCreate(const char *collname, Oid collnamespace, | ||
125 | } | ||
126 | else if (if_not_exists) | ||
127 | { | ||
128 | + /* | ||
129 | + * If we are in an extension script, insist that the pre-existing | ||
130 | + * object be a member of the extension, to avoid security risks. | ||
131 | + */ | ||
132 | + ObjectAddressSet(myself, CollationRelationId, oid); | ||
133 | + checkMembershipInCurrentExtension(&myself); | ||
134 | + | ||
135 | + /* OK to skip */ | ||
136 | table_close(rel, NoLock); | ||
137 | ereport(NOTICE, | ||
138 | (errcode(ERRCODE_DUPLICATE_OBJECT), | ||
139 | diff --git a/src/backend/catalog/pg_depend.c b/src/backend/catalog/pg_depend.c | ||
140 | index 9ffadbb..71c7cef 100644 | ||
141 | --- a/src/backend/catalog/pg_depend.c | ||
142 | +++ b/src/backend/catalog/pg_depend.c | ||
143 | @@ -124,15 +124,23 @@ recordMultipleDependencies(const ObjectAddress *depender, | ||
144 | |||
145 | /* | ||
146 | * If we are executing a CREATE EXTENSION operation, mark the given object | ||
147 | - * as being a member of the extension. Otherwise, do nothing. | ||
148 | + * as being a member of the extension, or check that it already is one. | ||
149 | + * Otherwise, do nothing. | ||
150 | * | ||
151 | * This must be called during creation of any user-definable object type | ||
152 | * that could be a member of an extension. | ||
153 | * | ||
154 | - * If isReplace is true, the object already existed (or might have already | ||
155 | - * existed), so we must check for a pre-existing extension membership entry. | ||
156 | - * Passing false is a guarantee that the object is newly created, and so | ||
157 | - * could not already be a member of any extension. | ||
158 | + * isReplace must be true if the object already existed, and false if it is | ||
159 | + * newly created. In the former case we insist that it already be a member | ||
160 | + * of the current extension. In the latter case we can skip checking whether | ||
161 | + * it is already a member of any extension. | ||
162 | + * | ||
163 | + * Note: isReplace = true is typically used when updating a object in | ||
164 | + * CREATE OR REPLACE and similar commands. We used to allow the target | ||
165 | + * object to not already be an extension member, instead silently absorbing | ||
166 | + * it into the current extension. However, this was both error-prone | ||
167 | + * (extensions might accidentally overwrite free-standing objects) and | ||
168 | + * a security hazard (since the object would retain its previous ownership). | ||
169 | */ | ||
170 | void | ||
171 | recordDependencyOnCurrentExtension(const ObjectAddress *object, | ||
172 | @@ -150,6 +158,12 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object, | ||
173 | { | ||
174 | Oid oldext; | ||
175 | |||
176 | + /* | ||
177 | + * Side note: these catalog lookups are safe only because the | ||
178 | + * object is a pre-existing one. In the not-isReplace case, the | ||
179 | + * caller has most likely not yet done a CommandCounterIncrement | ||
180 | + * that would make the new object visible. | ||
181 | + */ | ||
182 | oldext = getExtensionOfObject(object->classId, object->objectId); | ||
183 | if (OidIsValid(oldext)) | ||
184 | { | ||
185 | @@ -163,6 +177,13 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object, | ||
186 | getObjectDescription(object), | ||
187 | get_extension_name(oldext)))); | ||
188 | } | ||
189 | + /* It's a free-standing object, so reject */ | ||
190 | + ereport(ERROR, | ||
191 | + (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), | ||
192 | + errmsg("%s is not a member of extension \"%s\"", | ||
193 | + getObjectDescription(object), | ||
194 | + get_extension_name(CurrentExtensionObject)), | ||
195 | + errdetail("An extension is not allowed to replace an object that it does not own."))); | ||
196 | } | ||
197 | |||
198 | /* OK, record it as a member of CurrentExtensionObject */ | ||
199 | @@ -174,6 +195,49 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object, | ||
200 | } | ||
201 | } | ||
202 | |||
203 | +/* | ||
204 | + * If we are executing a CREATE EXTENSION operation, check that the given | ||
205 | + * object is a member of the extension, and throw an error if it isn't. | ||
206 | + * Otherwise, do nothing. | ||
207 | + * | ||
208 | + * This must be called whenever a CREATE IF NOT EXISTS operation (for an | ||
209 | + * object type that can be an extension member) has found that an object of | ||
210 | + * the desired name already exists. It is insecure for an extension to use | ||
211 | + * IF NOT EXISTS except when the conflicting object is already an extension | ||
212 | + * member; otherwise a hostile user could substitute an object with arbitrary | ||
213 | + * properties. | ||
214 | + */ | ||
215 | +void | ||
216 | +checkMembershipInCurrentExtension(const ObjectAddress *object) | ||
217 | +{ | ||
218 | + /* | ||
219 | + * This is actually the same condition tested in | ||
220 | + * recordDependencyOnCurrentExtension; but we want to issue a | ||
221 | + * differently-worded error, and anyway it would be pretty confusing to | ||
222 | + * call recordDependencyOnCurrentExtension in these circumstances. | ||
223 | + */ | ||
224 | + | ||
225 | + /* Only whole objects can be extension members */ | ||
226 | + Assert(object->objectSubId == 0); | ||
227 | + | ||
228 | + if (creating_extension) | ||
229 | + { | ||
230 | + Oid oldext; | ||
231 | + | ||
232 | + oldext = getExtensionOfObject(object->classId, object->objectId); | ||
233 | + /* If already a member of this extension, OK */ | ||
234 | + if (oldext == CurrentExtensionObject) | ||
235 | + return; | ||
236 | + /* Else complain */ | ||
237 | + ereport(ERROR, | ||
238 | + (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), | ||
239 | + errmsg("%s is not a member of extension \"%s\"", | ||
240 | + getObjectDescription(object), | ||
241 | + get_extension_name(CurrentExtensionObject)), | ||
242 | + errdetail("An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns."))); | ||
243 | + } | ||
244 | +} | ||
245 | + | ||
246 | /* | ||
247 | * deleteDependencyRecordsFor -- delete all records with given depender | ||
248 | * classId/objectId. Returns the number of records deleted. | ||
249 | diff --git a/src/backend/catalog/pg_operator.c b/src/backend/catalog/pg_operator.c | ||
250 | index bcaa26c..84784e6 100644 | ||
251 | --- a/src/backend/catalog/pg_operator.c | ||
252 | +++ b/src/backend/catalog/pg_operator.c | ||
253 | @@ -867,7 +867,7 @@ makeOperatorDependencies(HeapTuple tuple, bool isUpdate) | ||
254 | oper->oprowner); | ||
255 | |||
256 | /* Dependency on extension */ | ||
257 | - recordDependencyOnCurrentExtension(&myself, true); | ||
258 | + recordDependencyOnCurrentExtension(&myself, isUpdate); | ||
259 | |||
260 | return myself; | ||
261 | } | ||
262 | diff --git a/src/backend/catalog/pg_type.c b/src/backend/catalog/pg_type.c | ||
263 | index 2a51501..3ff017f 100644 | ||
264 | --- a/src/backend/catalog/pg_type.c | ||
265 | +++ b/src/backend/catalog/pg_type.c | ||
266 | @@ -528,10 +528,9 @@ TypeCreate(Oid newTypeOid, | ||
267 | * If rebuild is true, we remove existing dependencies and rebuild them | ||
268 | * from scratch. This is needed for ALTER TYPE, and also when replacing | ||
269 | * a shell type. We don't remove an existing extension dependency, though. | ||
270 | - * (That means an extension can't absorb a shell type created in another | ||
271 | - * extension, nor ALTER a type created by another extension. Also, if it | ||
272 | - * replaces a free-standing shell type or ALTERs a free-standing type, | ||
273 | - * that type will become a member of the extension.) | ||
274 | + * That means an extension can't absorb a shell type that is free-standing | ||
275 | + * or belongs to another extension, nor ALTER a type that is free-standing or | ||
276 | + * belongs to another extension. | ||
277 | */ | ||
278 | void | ||
279 | GenerateTypeDependencies(Oid typeObjectId, | ||
280 | diff --git a/src/backend/commands/createas.c b/src/backend/commands/createas.c | ||
281 | index 4c1d909..a68d945 100644 | ||
282 | --- a/src/backend/commands/createas.c | ||
283 | +++ b/src/backend/commands/createas.c | ||
284 | @@ -243,15 +243,27 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString, | ||
285 | if (stmt->if_not_exists) | ||
286 | { | ||
287 | Oid nspid; | ||
288 | + Oid oldrelid; | ||
289 | |||
290 | - nspid = RangeVarGetCreationNamespace(stmt->into->rel); | ||
291 | + nspid = RangeVarGetCreationNamespace(into->rel); | ||
292 | |||
293 | - if (get_relname_relid(stmt->into->rel->relname, nspid)) | ||
294 | + oldrelid = get_relname_relid(into->rel->relname, nspid); | ||
295 | + if (OidIsValid(oldrelid)) | ||
296 | { | ||
297 | + /* | ||
298 | + * The relation exists and IF NOT EXISTS has been specified. | ||
299 | + * | ||
300 | + * If we are in an extension script, insist that the pre-existing | ||
301 | + * object be a member of the extension, to avoid security risks. | ||
302 | + */ | ||
303 | + ObjectAddressSet(address, RelationRelationId, oldrelid); | ||
304 | + checkMembershipInCurrentExtension(&address); | ||
305 | + | ||
306 | + /* OK to skip */ | ||
307 | ereport(NOTICE, | ||
308 | (errcode(ERRCODE_DUPLICATE_TABLE), | ||
309 | errmsg("relation \"%s\" already exists, skipping", | ||
310 | - stmt->into->rel->relname))); | ||
311 | + into->rel->relname))); | ||
312 | return InvalidObjectAddress; | ||
313 | } | ||
314 | } | ||
315 | diff --git a/src/backend/commands/foreigncmds.c b/src/backend/commands/foreigncmds.c | ||
316 | index d7bc6e3..bc583c6 100644 | ||
317 | --- a/src/backend/commands/foreigncmds.c | ||
318 | +++ b/src/backend/commands/foreigncmds.c | ||
319 | @@ -887,13 +887,22 @@ CreateForeignServer(CreateForeignServerStmt *stmt) | ||
320 | ownerId = GetUserId(); | ||
321 | |||
322 | /* | ||
323 | - * Check that there is no other foreign server by this name. Do nothing if | ||
324 | - * IF NOT EXISTS was enforced. | ||
325 | + * Check that there is no other foreign server by this name. If there is | ||
326 | + * one, do nothing if IF NOT EXISTS was specified. | ||
327 | */ | ||
328 | - if (GetForeignServerByName(stmt->servername, true) != NULL) | ||
329 | + srvId = get_foreign_server_oid(stmt->servername, true); | ||
330 | + if (OidIsValid(srvId)) | ||
331 | { | ||
332 | if (stmt->if_not_exists) | ||
333 | { | ||
334 | + /* | ||
335 | + * If we are in an extension script, insist that the pre-existing | ||
336 | + * object be a member of the extension, to avoid security risks. | ||
337 | + */ | ||
338 | + ObjectAddressSet(myself, ForeignServerRelationId, srvId); | ||
339 | + checkMembershipInCurrentExtension(&myself); | ||
340 | + | ||
341 | + /* OK to skip */ | ||
342 | ereport(NOTICE, | ||
343 | (errcode(ERRCODE_DUPLICATE_OBJECT), | ||
344 | errmsg("server \"%s\" already exists, skipping", | ||
345 | @@ -1182,6 +1191,10 @@ CreateUserMapping(CreateUserMappingStmt *stmt) | ||
346 | { | ||
347 | if (stmt->if_not_exists) | ||
348 | { | ||
349 | + /* | ||
350 | + * Since user mappings aren't members of extensions (see comments | ||
351 | + * below), no need for checkMembershipInCurrentExtension here. | ||
352 | + */ | ||
353 | ereport(NOTICE, | ||
354 | (errcode(ERRCODE_DUPLICATE_OBJECT), | ||
355 | errmsg("user mapping for \"%s\" already exists for server \"%s\", skipping", | ||
356 | diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c | ||
357 | index 6cf94a3..6bc4edc 100644 | ||
358 | --- a/src/backend/commands/schemacmds.c | ||
359 | +++ b/src/backend/commands/schemacmds.c | ||
360 | @@ -113,14 +113,25 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, | ||
361 | * the permissions checks, but since CREATE TABLE IF NOT EXISTS makes its | ||
362 | * creation-permission check first, we do likewise. | ||
363 | */ | ||
364 | - if (stmt->if_not_exists && | ||
365 | - SearchSysCacheExists1(NAMESPACENAME, PointerGetDatum(schemaName))) | ||
366 | + if (stmt->if_not_exists) | ||
367 | { | ||
368 | - ereport(NOTICE, | ||
369 | - (errcode(ERRCODE_DUPLICATE_SCHEMA), | ||
370 | - errmsg("schema \"%s\" already exists, skipping", | ||
371 | - schemaName))); | ||
372 | - return InvalidOid; | ||
373 | + namespaceId = get_namespace_oid(schemaName, true); | ||
374 | + if (OidIsValid(namespaceId)) | ||
375 | + { | ||
376 | + /* | ||
377 | + * If we are in an extension script, insist that the pre-existing | ||
378 | + * object be a member of the extension, to avoid security risks. | ||
379 | + */ | ||
380 | + ObjectAddressSet(address, NamespaceRelationId, namespaceId); | ||
381 | + checkMembershipInCurrentExtension(&address); | ||
382 | + | ||
383 | + /* OK to skip */ | ||
384 | + ereport(NOTICE, | ||
385 | + (errcode(ERRCODE_DUPLICATE_SCHEMA), | ||
386 | + errmsg("schema \"%s\" already exists, skipping", | ||
387 | + schemaName))); | ||
388 | + return InvalidOid; | ||
389 | + } | ||
390 | } | ||
391 | |||
392 | /* | ||
393 | diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c | ||
394 | index 0960b33..0577184 100644 | ||
395 | --- a/src/backend/commands/sequence.c | ||
396 | +++ b/src/backend/commands/sequence.c | ||
397 | @@ -149,6 +149,14 @@ DefineSequence(ParseState *pstate, CreateSeqStmt *seq) | ||
398 | RangeVarGetAndCheckCreationNamespace(seq->sequence, NoLock, &seqoid); | ||
399 | if (OidIsValid(seqoid)) | ||
400 | { | ||
401 | + /* | ||
402 | + * If we are in an extension script, insist that the pre-existing | ||
403 | + * object be a member of the extension, to avoid security risks. | ||
404 | + */ | ||
405 | + ObjectAddressSet(address, RelationRelationId, seqoid); | ||
406 | + checkMembershipInCurrentExtension(&address); | ||
407 | + | ||
408 | + /* OK to skip */ | ||
409 | ereport(NOTICE, | ||
410 | (errcode(ERRCODE_DUPLICATE_TABLE), | ||
411 | errmsg("relation \"%s\" already exists, skipping", | ||
412 | diff --git a/src/backend/commands/statscmds.c b/src/backend/commands/statscmds.c | ||
413 | index 5678d31..409cf28 100644 | ||
414 | --- a/src/backend/commands/statscmds.c | ||
415 | +++ b/src/backend/commands/statscmds.c | ||
416 | @@ -173,6 +173,10 @@ CreateStatistics(CreateStatsStmt *stmt) | ||
417 | { | ||
418 | if (stmt->if_not_exists) | ||
419 | { | ||
420 | + /* | ||
421 | + * Since stats objects aren't members of extensions (see comments | ||
422 | + * below), no need for checkMembershipInCurrentExtension here. | ||
423 | + */ | ||
424 | ereport(NOTICE, | ||
425 | (errcode(ERRCODE_DUPLICATE_OBJECT), | ||
426 | errmsg("statistics object \"%s\" already exists, skipping", | ||
427 | diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c | ||
428 | index 87ed453..dd7cc97 100644 | ||
429 | --- a/src/backend/commands/view.c | ||
430 | +++ b/src/backend/commands/view.c | ||
431 | @@ -205,7 +205,7 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace, | ||
432 | CommandCounterIncrement(); | ||
433 | |||
434 | /* | ||
435 | - * Finally update the view options. | ||
436 | + * Update the view's options. | ||
437 | * | ||
438 | * The new options list replaces the existing options list, even if | ||
439 | * it's empty. | ||
440 | @@ -218,8 +218,22 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace, | ||
441 | /* EventTriggerAlterTableStart called by ProcessUtilitySlow */ | ||
442 | AlterTableInternal(viewOid, atcmds, true); | ||
443 | |||
444 | + /* | ||
445 | + * There is very little to do here to update the view's dependencies. | ||
446 | + * Most view-level dependency relationships, such as those on the | ||
447 | + * owner, schema, and associated composite type, aren't changing. | ||
448 | + * Because we don't allow changing type or collation of an existing | ||
449 | + * view column, those dependencies of the existing columns don't | ||
450 | + * change either, while the AT_AddColumnToView machinery took care of | ||
451 | + * adding such dependencies for new view columns. The dependencies of | ||
452 | + * the view's query could have changed arbitrarily, but that was dealt | ||
453 | + * with inside StoreViewQuery. What remains is only to check that | ||
454 | + * view replacement is allowed when we're creating an extension. | ||
455 | + */ | ||
456 | ObjectAddressSet(address, RelationRelationId, viewOid); | ||
457 | |||
458 | + recordDependencyOnCurrentExtension(&address, true); | ||
459 | + | ||
460 | /* | ||
461 | * Seems okay, so return the OID of the pre-existing view. | ||
462 | */ | ||
463 | diff --git a/src/backend/parser/parse_utilcmd.c b/src/backend/parser/parse_utilcmd.c | ||
464 | index 44aa38a..8f4d940 100644 | ||
465 | --- a/src/backend/parser/parse_utilcmd.c | ||
466 | +++ b/src/backend/parser/parse_utilcmd.c | ||
467 | @@ -206,6 +206,16 @@ transformCreateStmt(CreateStmt *stmt, const char *queryString) | ||
468 | */ | ||
469 | if (stmt->if_not_exists && OidIsValid(existing_relid)) | ||
470 | { | ||
471 | + /* | ||
472 | + * If we are in an extension script, insist that the pre-existing | ||
473 | + * object be a member of the extension, to avoid security risks. | ||
474 | + */ | ||
475 | + ObjectAddress address; | ||
476 | + | ||
477 | + ObjectAddressSet(address, RelationRelationId, existing_relid); | ||
478 | + checkMembershipInCurrentExtension(&address); | ||
479 | + | ||
480 | + /* OK to skip */ | ||
481 | ereport(NOTICE, | ||
482 | (errcode(ERRCODE_DUPLICATE_TABLE), | ||
483 | errmsg("relation \"%s\" already exists, skipping", | ||
484 | diff --git a/src/include/catalog/dependency.h b/src/include/catalog/dependency.h | ||
485 | index 8b1e3aa..27c7509 100644 | ||
486 | --- a/src/include/catalog/dependency.h | ||
487 | +++ b/src/include/catalog/dependency.h | ||
488 | @@ -201,6 +201,8 @@ extern void recordMultipleDependencies(const ObjectAddress *depender, | ||
489 | extern void recordDependencyOnCurrentExtension(const ObjectAddress *object, | ||
490 | bool isReplace); | ||
491 | |||
492 | +extern void checkMembershipInCurrentExtension(const ObjectAddress *object); | ||
493 | + | ||
494 | extern long deleteDependencyRecordsFor(Oid classId, Oid objectId, | ||
495 | bool skipExtensionDeps); | ||
496 | |||
497 | diff --git a/src/test/modules/test_extensions/Makefile b/src/test/modules/test_extensions/Makefile | ||
498 | index d18108e..7428f15 100644 | ||
499 | --- a/src/test/modules/test_extensions/Makefile | ||
500 | +++ b/src/test/modules/test_extensions/Makefile | ||
501 | @@ -4,10 +4,13 @@ MODULE = test_extensions | ||
502 | PGFILEDESC = "test_extensions - regression testing for EXTENSION support" | ||
503 | |||
504 | EXTENSION = test_ext1 test_ext2 test_ext3 test_ext4 test_ext5 test_ext6 \ | ||
505 | - test_ext7 test_ext8 test_ext_cyclic1 test_ext_cyclic2 | ||
506 | + test_ext7 test_ext8 test_ext_cine test_ext_cor \ | ||
507 | + test_ext_cyclic1 test_ext_cyclic2 | ||
508 | DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \ | ||
509 | test_ext4--1.0.sql test_ext5--1.0.sql test_ext6--1.0.sql \ | ||
510 | test_ext7--1.0.sql test_ext7--1.0--2.0.sql test_ext8--1.0.sql \ | ||
511 | + test_ext_cine--1.0.sql test_ext_cine--1.0--1.1.sql \ | ||
512 | + test_ext_cor--1.0.sql \ | ||
513 | test_ext_cyclic1--1.0.sql test_ext_cyclic2--1.0.sql | ||
514 | |||
515 | REGRESS = test_extensions test_extdepend | ||
516 | diff --git a/src/test/modules/test_extensions/expected/test_extensions.out b/src/test/modules/test_extensions/expected/test_extensions.out | ||
517 | index b5cbdfc..1e91640 100644 | ||
518 | --- a/src/test/modules/test_extensions/expected/test_extensions.out | ||
519 | +++ b/src/test/modules/test_extensions/expected/test_extensions.out | ||
520 | @@ -154,3 +154,156 @@ DROP TABLE test_ext4_tab; | ||
521 | DROP FUNCTION create_extension_with_temp_schema(); | ||
522 | RESET client_min_messages; | ||
523 | \unset SHOW_CONTEXT | ||
524 | +-- It's generally bad style to use CREATE OR REPLACE unnecessarily. | ||
525 | +-- Test what happens if an extension does it anyway. | ||
526 | +-- Replacing a shell type or operator is sort of like CREATE OR REPLACE; | ||
527 | +-- check that too. | ||
528 | +CREATE FUNCTION ext_cor_func() RETURNS text | ||
529 | + AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql; | ||
530 | +CREATE EXTENSION test_ext_cor; -- fail | ||
531 | +ERROR: function ext_cor_func() is not a member of extension "test_ext_cor" | ||
532 | +DETAIL: An extension is not allowed to replace an object that it does not own. | ||
533 | +SELECT ext_cor_func(); | ||
534 | + ext_cor_func | ||
535 | +------------------------ | ||
536 | + ext_cor_func: original | ||
537 | +(1 row) | ||
538 | + | ||
539 | +DROP FUNCTION ext_cor_func(); | ||
540 | +CREATE VIEW ext_cor_view AS | ||
541 | + SELECT 'ext_cor_view: original'::text AS col; | ||
542 | +CREATE EXTENSION test_ext_cor; -- fail | ||
543 | +ERROR: view ext_cor_view is not a member of extension "test_ext_cor" | ||
544 | +DETAIL: An extension is not allowed to replace an object that it does not own. | ||
545 | +SELECT ext_cor_func(); | ||
546 | +ERROR: function ext_cor_func() does not exist | ||
547 | +LINE 1: SELECT ext_cor_func(); | ||
548 | + ^ | ||
549 | +HINT: No function matches the given name and argument types. You might need to add explicit type casts. | ||
550 | +SELECT * FROM ext_cor_view; | ||
551 | + col | ||
552 | +------------------------ | ||
553 | + ext_cor_view: original | ||
554 | +(1 row) | ||
555 | + | ||
556 | +DROP VIEW ext_cor_view; | ||
557 | +CREATE TYPE test_ext_type; | ||
558 | +CREATE EXTENSION test_ext_cor; -- fail | ||
559 | +ERROR: type test_ext_type is not a member of extension "test_ext_cor" | ||
560 | +DETAIL: An extension is not allowed to replace an object that it does not own. | ||
561 | +DROP TYPE test_ext_type; | ||
562 | +-- this makes a shell "point <<@@ polygon" operator too | ||
563 | +CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt, | ||
564 | + LEFTARG = polygon, RIGHTARG = point, | ||
565 | + COMMUTATOR = <<@@ ); | ||
566 | +CREATE EXTENSION test_ext_cor; -- fail | ||
567 | +ERROR: operator <<@@(point,polygon) is not a member of extension "test_ext_cor" | ||
568 | +DETAIL: An extension is not allowed to replace an object that it does not own. | ||
569 | +DROP OPERATOR <<@@ (point, polygon); | ||
570 | +CREATE EXTENSION test_ext_cor; -- now it should work | ||
571 | +SELECT ext_cor_func(); | ||
572 | + ext_cor_func | ||
573 | +------------------------------ | ||
574 | + ext_cor_func: from extension | ||
575 | +(1 row) | ||
576 | + | ||
577 | +SELECT * FROM ext_cor_view; | ||
578 | + col | ||
579 | +------------------------------ | ||
580 | + ext_cor_view: from extension | ||
581 | +(1 row) | ||
582 | + | ||
583 | +SELECT 'x'::test_ext_type; | ||
584 | + test_ext_type | ||
585 | +--------------- | ||
586 | + x | ||
587 | +(1 row) | ||
588 | + | ||
589 | +SELECT point(0,0) <<@@ polygon(circle(point(0,0),1)); | ||
590 | + ?column? | ||
591 | +---------- | ||
592 | + t | ||
593 | +(1 row) | ||
594 | + | ||
595 | +\dx+ test_ext_cor | ||
596 | +Objects in extension "test_ext_cor" | ||
597 | + Object description | ||
598 | +------------------------------ | ||
599 | + function ext_cor_func() | ||
600 | + operator <<@@(point,polygon) | ||
601 | + type test_ext_type | ||
602 | + view ext_cor_view | ||
603 | +(4 rows) | ||
604 | + | ||
605 | +-- | ||
606 | +-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension | ||
607 | +-- to be doing, but let's at least plug the major security hole in it. | ||
608 | +-- | ||
609 | +CREATE COLLATION ext_cine_coll | ||
610 | + ( LC_COLLATE = "C", LC_CTYPE = "C" ); | ||
611 | +CREATE EXTENSION test_ext_cine; -- fail | ||
612 | +ERROR: collation ext_cine_coll is not a member of extension "test_ext_cine" | ||
613 | +DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. | ||
614 | +DROP COLLATION ext_cine_coll; | ||
615 | +CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1; | ||
616 | +CREATE EXTENSION test_ext_cine; -- fail | ||
617 | +ERROR: materialized view ext_cine_mv is not a member of extension "test_ext_cine" | ||
618 | +DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. | ||
619 | +DROP MATERIALIZED VIEW ext_cine_mv; | ||
620 | +CREATE FOREIGN DATA WRAPPER dummy; | ||
621 | +CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy; | ||
622 | +CREATE EXTENSION test_ext_cine; -- fail | ||
623 | +ERROR: server ext_cine_srv is not a member of extension "test_ext_cine" | ||
624 | +DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. | ||
625 | +DROP SERVER ext_cine_srv; | ||
626 | +CREATE SCHEMA ext_cine_schema; | ||
627 | +CREATE EXTENSION test_ext_cine; -- fail | ||
628 | +ERROR: schema ext_cine_schema is not a member of extension "test_ext_cine" | ||
629 | +DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. | ||
630 | +DROP SCHEMA ext_cine_schema; | ||
631 | +CREATE SEQUENCE ext_cine_seq; | ||
632 | +CREATE EXTENSION test_ext_cine; -- fail | ||
633 | +ERROR: sequence ext_cine_seq is not a member of extension "test_ext_cine" | ||
634 | +DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. | ||
635 | +DROP SEQUENCE ext_cine_seq; | ||
636 | +CREATE TABLE ext_cine_tab1 (x int); | ||
637 | +CREATE EXTENSION test_ext_cine; -- fail | ||
638 | +ERROR: table ext_cine_tab1 is not a member of extension "test_ext_cine" | ||
639 | +DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. | ||
640 | +DROP TABLE ext_cine_tab1; | ||
641 | +CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y; | ||
642 | +CREATE EXTENSION test_ext_cine; -- fail | ||
643 | +ERROR: table ext_cine_tab2 is not a member of extension "test_ext_cine" | ||
644 | +DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. | ||
645 | +DROP TABLE ext_cine_tab2; | ||
646 | +CREATE EXTENSION test_ext_cine; | ||
647 | +\dx+ test_ext_cine | ||
648 | +Objects in extension "test_ext_cine" | ||
649 | + Object description | ||
650 | +----------------------------------- | ||
651 | + collation ext_cine_coll | ||
652 | + foreign-data wrapper ext_cine_fdw | ||
653 | + materialized view ext_cine_mv | ||
654 | + schema ext_cine_schema | ||
655 | + sequence ext_cine_seq | ||
656 | + server ext_cine_srv | ||
657 | + table ext_cine_tab1 | ||
658 | + table ext_cine_tab2 | ||
659 | +(8 rows) | ||
660 | + | ||
661 | +ALTER EXTENSION test_ext_cine UPDATE TO '1.1'; | ||
662 | +\dx+ test_ext_cine | ||
663 | +Objects in extension "test_ext_cine" | ||
664 | + Object description | ||
665 | +----------------------------------- | ||
666 | + collation ext_cine_coll | ||
667 | + foreign-data wrapper ext_cine_fdw | ||
668 | + materialized view ext_cine_mv | ||
669 | + schema ext_cine_schema | ||
670 | + sequence ext_cine_seq | ||
671 | + server ext_cine_srv | ||
672 | + table ext_cine_tab1 | ||
673 | + table ext_cine_tab2 | ||
674 | + table ext_cine_tab3 | ||
675 | +(9 rows) | ||
676 | + | ||
677 | diff --git a/src/test/modules/test_extensions/sql/test_extensions.sql b/src/test/modules/test_extensions/sql/test_extensions.sql | ||
678 | index f505466..b3d4579 100644 | ||
679 | --- a/src/test/modules/test_extensions/sql/test_extensions.sql | ||
680 | +++ b/src/test/modules/test_extensions/sql/test_extensions.sql | ||
681 | @@ -93,3 +93,113 @@ DROP TABLE test_ext4_tab; | ||
682 | DROP FUNCTION create_extension_with_temp_schema(); | ||
683 | RESET client_min_messages; | ||
684 | \unset SHOW_CONTEXT | ||
685 | + | ||
686 | +-- It's generally bad style to use CREATE OR REPLACE unnecessarily. | ||
687 | +-- Test what happens if an extension does it anyway. | ||
688 | +-- Replacing a shell type or operator is sort of like CREATE OR REPLACE; | ||
689 | +-- check that too. | ||
690 | + | ||
691 | +CREATE FUNCTION ext_cor_func() RETURNS text | ||
692 | + AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql; | ||
693 | + | ||
694 | +CREATE EXTENSION test_ext_cor; -- fail | ||
695 | + | ||
696 | +SELECT ext_cor_func(); | ||
697 | + | ||
698 | +DROP FUNCTION ext_cor_func(); | ||
699 | + | ||
700 | +CREATE VIEW ext_cor_view AS | ||
701 | + SELECT 'ext_cor_view: original'::text AS col; | ||
702 | + | ||
703 | +CREATE EXTENSION test_ext_cor; -- fail | ||
704 | + | ||
705 | +SELECT ext_cor_func(); | ||
706 | + | ||
707 | +SELECT * FROM ext_cor_view; | ||
708 | + | ||
709 | +DROP VIEW ext_cor_view; | ||
710 | + | ||
711 | +CREATE TYPE test_ext_type; | ||
712 | + | ||
713 | +CREATE EXTENSION test_ext_cor; -- fail | ||
714 | + | ||
715 | +DROP TYPE test_ext_type; | ||
716 | + | ||
717 | +-- this makes a shell "point <<@@ polygon" operator too | ||
718 | +CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt, | ||
719 | + LEFTARG = polygon, RIGHTARG = point, | ||
720 | + COMMUTATOR = <<@@ ); | ||
721 | + | ||
722 | +CREATE EXTENSION test_ext_cor; -- fail | ||
723 | + | ||
724 | +DROP OPERATOR <<@@ (point, polygon); | ||
725 | + | ||
726 | +CREATE EXTENSION test_ext_cor; -- now it should work | ||
727 | + | ||
728 | +SELECT ext_cor_func(); | ||
729 | + | ||
730 | +SELECT * FROM ext_cor_view; | ||
731 | + | ||
732 | +SELECT 'x'::test_ext_type; | ||
733 | + | ||
734 | +SELECT point(0,0) <<@@ polygon(circle(point(0,0),1)); | ||
735 | + | ||
736 | +\dx+ test_ext_cor | ||
737 | + | ||
738 | +-- | ||
739 | +-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension | ||
740 | +-- to be doing, but let's at least plug the major security hole in it. | ||
741 | +-- | ||
742 | + | ||
743 | +CREATE COLLATION ext_cine_coll | ||
744 | + ( LC_COLLATE = "C", LC_CTYPE = "C" ); | ||
745 | + | ||
746 | +CREATE EXTENSION test_ext_cine; -- fail | ||
747 | + | ||
748 | +DROP COLLATION ext_cine_coll; | ||
749 | + | ||
750 | +CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1; | ||
751 | + | ||
752 | +CREATE EXTENSION test_ext_cine; -- fail | ||
753 | + | ||
754 | +DROP MATERIALIZED VIEW ext_cine_mv; | ||
755 | + | ||
756 | +CREATE FOREIGN DATA WRAPPER dummy; | ||
757 | + | ||
758 | +CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy; | ||
759 | + | ||
760 | +CREATE EXTENSION test_ext_cine; -- fail | ||
761 | + | ||
762 | +DROP SERVER ext_cine_srv; | ||
763 | + | ||
764 | +CREATE SCHEMA ext_cine_schema; | ||
765 | + | ||
766 | +CREATE EXTENSION test_ext_cine; -- fail | ||
767 | + | ||
768 | +DROP SCHEMA ext_cine_schema; | ||
769 | + | ||
770 | +CREATE SEQUENCE ext_cine_seq; | ||
771 | + | ||
772 | +CREATE EXTENSION test_ext_cine; -- fail | ||
773 | + | ||
774 | +DROP SEQUENCE ext_cine_seq; | ||
775 | + | ||
776 | +CREATE TABLE ext_cine_tab1 (x int); | ||
777 | + | ||
778 | +CREATE EXTENSION test_ext_cine; -- fail | ||
779 | + | ||
780 | +DROP TABLE ext_cine_tab1; | ||
781 | + | ||
782 | +CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y; | ||
783 | + | ||
784 | +CREATE EXTENSION test_ext_cine; -- fail | ||
785 | + | ||
786 | +DROP TABLE ext_cine_tab2; | ||
787 | + | ||
788 | +CREATE EXTENSION test_ext_cine; | ||
789 | + | ||
790 | +\dx+ test_ext_cine | ||
791 | + | ||
792 | +ALTER EXTENSION test_ext_cine UPDATE TO '1.1'; | ||
793 | + | ||
794 | +\dx+ test_ext_cine | ||
795 | diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql | ||
796 | new file mode 100644 | ||
797 | index 0000000..6dadfd2 | ||
798 | --- /dev/null | ||
799 | +++ b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql | ||
800 | @@ -0,0 +1,26 @@ | ||
801 | +/* src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql */ | ||
802 | +-- complain if script is sourced in psql, rather than via ALTER EXTENSION | ||
803 | +\echo Use "ALTER EXTENSION test_ext_cine UPDATE TO '1.1'" to load this file. \quit | ||
804 | + | ||
805 | +-- | ||
806 | +-- These are the same commands as in the 1.0 script; we expect them | ||
807 | +-- to do nothing. | ||
808 | +-- | ||
809 | + | ||
810 | +CREATE COLLATION IF NOT EXISTS ext_cine_coll | ||
811 | + ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" ); | ||
812 | + | ||
813 | +CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1; | ||
814 | + | ||
815 | +CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw; | ||
816 | + | ||
817 | +CREATE SCHEMA IF NOT EXISTS ext_cine_schema; | ||
818 | + | ||
819 | +CREATE SEQUENCE IF NOT EXISTS ext_cine_seq; | ||
820 | + | ||
821 | +CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int); | ||
822 | + | ||
823 | +CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y; | ||
824 | + | ||
825 | +-- just to verify the script ran | ||
826 | +CREATE TABLE ext_cine_tab3 (z int); | ||
827 | diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0.sql b/src/test/modules/test_extensions/test_ext_cine--1.0.sql | ||
828 | new file mode 100644 | ||
829 | index 0000000..01408ff | ||
830 | --- /dev/null | ||
831 | +++ b/src/test/modules/test_extensions/test_ext_cine--1.0.sql | ||
832 | @@ -0,0 +1,25 @@ | ||
833 | +/* src/test/modules/test_extensions/test_ext_cine--1.0.sql */ | ||
834 | +-- complain if script is sourced in psql, rather than via CREATE EXTENSION | ||
835 | +\echo Use "CREATE EXTENSION test_ext_cine" to load this file. \quit | ||
836 | + | ||
837 | +-- | ||
838 | +-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension | ||
839 | +-- to be doing, but let's at least plug the major security hole in it. | ||
840 | +-- | ||
841 | + | ||
842 | +CREATE COLLATION IF NOT EXISTS ext_cine_coll | ||
843 | + ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" ); | ||
844 | + | ||
845 | +CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1; | ||
846 | + | ||
847 | +CREATE FOREIGN DATA WRAPPER ext_cine_fdw; | ||
848 | + | ||
849 | +CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw; | ||
850 | + | ||
851 | +CREATE SCHEMA IF NOT EXISTS ext_cine_schema; | ||
852 | + | ||
853 | +CREATE SEQUENCE IF NOT EXISTS ext_cine_seq; | ||
854 | + | ||
855 | +CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int); | ||
856 | + | ||
857 | +CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y; | ||
858 | diff --git a/src/test/modules/test_extensions/test_ext_cine.control b/src/test/modules/test_extensions/test_ext_cine.control | ||
859 | new file mode 100644 | ||
860 | index 0000000..ced713b | ||
861 | --- /dev/null | ||
862 | +++ b/src/test/modules/test_extensions/test_ext_cine.control | ||
863 | @@ -0,0 +1,3 @@ | ||
864 | +comment = 'Test extension using CREATE IF NOT EXISTS' | ||
865 | +default_version = '1.0' | ||
866 | +relocatable = true | ||
867 | diff --git a/src/test/modules/test_extensions/test_ext_cor--1.0.sql b/src/test/modules/test_extensions/test_ext_cor--1.0.sql | ||
868 | new file mode 100644 | ||
869 | index 0000000..2e8d89c | ||
870 | --- /dev/null | ||
871 | +++ b/src/test/modules/test_extensions/test_ext_cor--1.0.sql | ||
872 | @@ -0,0 +1,20 @@ | ||
873 | +/* src/test/modules/test_extensions/test_ext_cor--1.0.sql */ | ||
874 | +-- complain if script is sourced in psql, rather than via CREATE EXTENSION | ||
875 | +\echo Use "CREATE EXTENSION test_ext_cor" to load this file. \quit | ||
876 | + | ||
877 | +-- It's generally bad style to use CREATE OR REPLACE unnecessarily. | ||
878 | +-- Test what happens if an extension does it anyway. | ||
879 | + | ||
880 | +CREATE OR REPLACE FUNCTION ext_cor_func() RETURNS text | ||
881 | + AS $$ SELECT 'ext_cor_func: from extension'::text $$ LANGUAGE sql; | ||
882 | + | ||
883 | +CREATE OR REPLACE VIEW ext_cor_view AS | ||
884 | + SELECT 'ext_cor_view: from extension'::text AS col; | ||
885 | + | ||
886 | +-- These are for testing replacement of a shell type/operator, which works | ||
887 | +-- enough like an implicit OR REPLACE to be important to check. | ||
888 | + | ||
889 | +CREATE TYPE test_ext_type AS ENUM('x', 'y'); | ||
890 | + | ||
891 | +CREATE OPERATOR <<@@ ( PROCEDURE = pt_contained_poly, | ||
892 | + LEFTARG = point, RIGHTARG = polygon ); | ||
893 | diff --git a/src/test/modules/test_extensions/test_ext_cor.control b/src/test/modules/test_extensions/test_ext_cor.control | ||
894 | new file mode 100644 | ||
895 | index 0000000..0e972e5 | ||
896 | --- /dev/null | ||
897 | +++ b/src/test/modules/test_extensions/test_ext_cor.control | ||
898 | @@ -0,0 +1,3 @@ | ||
899 | +comment = 'Test extension using CREATE OR REPLACE' | ||
900 | +default_version = '1.0' | ||
901 | +relocatable = true | ||
902 | -- | ||
903 | 2.25.1 | ||
904 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch deleted file mode 100644 index f4093f4ba..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch +++ /dev/null | |||
@@ -1,48 +0,0 @@ | |||
1 | From 3f7342671341a7a137f2d8b06ab3461cdb0e1d88 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Paquier <michael@paquier.xyz> | ||
3 | Date: Mon, 6 Feb 2023 11:20:31 +0900 | ||
4 | Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet | ||
5 | reception | ||
6 | |||
7 | pqsecure_open_gss() includes a code path handling error messages with | ||
8 | v2-style protocol messages coming from the server. The client-side | ||
9 | buffer holding the error message does not force a NULL-termination, with | ||
10 | the data of the server getting copied to the errorMessage of the | ||
11 | connection. Hence, it would be possible for a server to send an | ||
12 | unterminated string and copy arbitrary bytes in the buffer receiving the | ||
13 | error message in the client, opening the door to a crash or even data | ||
14 | exposure. | ||
15 | |||
16 | As at this stage of the authentication process the exchange has not been | ||
17 | completed yet, this could be abused by an attacker without Kerberos | ||
18 | credentials. Clients that have a valid kerberos cache are vulnerable as | ||
19 | libpq opportunistically requests for it except if gssencmode is | ||
20 | disabled. | ||
21 | |||
22 | Author: Jacob Champion | ||
23 | Backpatch-through: 12 | ||
24 | Security: CVE-2022-41862 | ||
25 | |||
26 | CVE: CVE-2022-41862 | ||
27 | Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3f7342671341a7a137f2d8b06ab3461cdb0e1d88] | ||
28 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
29 | --- | ||
30 | src/interfaces/libpq/fe-secure-gssapi.c | 2 ++ | ||
31 | 1 file changed, 2 insertions(+) | ||
32 | |||
33 | diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c | ||
34 | index 7b5e383..aef201b 100644 | ||
35 | --- a/src/interfaces/libpq/fe-secure-gssapi.c | ||
36 | +++ b/src/interfaces/libpq/fe-secure-gssapi.c | ||
37 | @@ -578,6 +578,8 @@ pqsecure_open_gss(PGconn *conn) | ||
38 | |||
39 | PqGSSRecvLength += ret; | ||
40 | |||
41 | + Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE); | ||
42 | + PqGSSRecvBuffer[PqGSSRecvLength] = '\0'; | ||
43 | printfPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1); | ||
44 | |||
45 | return PGRES_POLLING_FAILED; | ||
46 | -- | ||
47 | 2.25.1 | ||
48 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch deleted file mode 100644 index eb0aff80d..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch +++ /dev/null | |||
@@ -1,235 +0,0 @@ | |||
1 | From 23cb8eaeb97df350273cb8902e55842a955339c8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Noah Misch <noah@leadboat.com> | ||
3 | Date: Mon, 8 May 2023 06:14:07 -0700 | ||
4 | Subject: [PATCH] Replace last PushOverrideSearchPath() call with | ||
5 | set_config_option(). | ||
6 | |||
7 | The two methods don't cooperate, so set_config_option("search_path", | ||
8 | ...) has been ineffective under non-empty overrideStack. This defect | ||
9 | enabled an attacker having database-level CREATE privilege to execute | ||
10 | arbitrary code as the bootstrap superuser. While that particular attack | ||
11 | requires v13+ for the trusted extension attribute, other attacks are | ||
12 | feasible in all supported versions. | ||
13 | |||
14 | Standardize on the combination of NewGUCNestLevel() and | ||
15 | set_config_option("search_path", ...). It is newer than | ||
16 | PushOverrideSearchPath(), more-prevalent, and has no known | ||
17 | disadvantages. The "override" mechanism remains for now, for | ||
18 | compatibility with out-of-tree code. Users should update such code, | ||
19 | which likely suffers from the same sort of vulnerability closed here. | ||
20 | Back-patch to v11 (all supported versions). | ||
21 | |||
22 | Alexander Lakhin. Reported by Alexander Lakhin. | ||
23 | |||
24 | Security: CVE-2023-2454 | ||
25 | |||
26 | Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=23cb8eaeb97df350273cb8902e55842a955339c8] | ||
27 | CVE: CVE-2023-2454 | ||
28 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
29 | --- | ||
30 | src/backend/catalog/namespace.c | 4 +++ | ||
31 | src/backend/commands/schemacmds.c | 37 ++++++++++++++------ | ||
32 | src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++ | ||
33 | src/test/regress/sql/namespace.sql | 24 +++++++++++++ | ||
34 | 4 files changed, 100 insertions(+), 10 deletions(-) | ||
35 | |||
36 | diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c | ||
37 | index 48a7058..74a0536 100644 | ||
38 | --- a/src/backend/catalog/namespace.c | ||
39 | +++ b/src/backend/catalog/namespace.c | ||
40 | @@ -3456,6 +3456,10 @@ OverrideSearchPathMatchesCurrent(OverrideSearchPath *path) | ||
41 | /* | ||
42 | * PushOverrideSearchPath - temporarily override the search path | ||
43 | * | ||
44 | + * Do not use this function; almost any usage introduces a security | ||
45 | + * vulnerability. It exists for the benefit of legacy code running in | ||
46 | + * non-security-sensitive environments. | ||
47 | + * | ||
48 | * We allow nested overrides, hence the push/pop terminology. The GUC | ||
49 | * search_path variable is ignored while an override is active. | ||
50 | * | ||
51 | diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c | ||
52 | index 6bc4edc..27b1241 100644 | ||
53 | --- a/src/backend/commands/schemacmds.c | ||
54 | +++ b/src/backend/commands/schemacmds.c | ||
55 | @@ -29,6 +29,7 @@ | ||
56 | #include "commands/schemacmds.h" | ||
57 | #include "miscadmin.h" | ||
58 | #include "parser/parse_utilcmd.h" | ||
59 | +#include "parser/scansup.h" | ||
60 | #include "tcop/utility.h" | ||
61 | #include "utils/acl.h" | ||
62 | #include "utils/builtins.h" | ||
63 | @@ -53,14 +54,16 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, | ||
64 | { | ||
65 | const char *schemaName = stmt->schemaname; | ||
66 | Oid namespaceId; | ||
67 | - OverrideSearchPath *overridePath; | ||
68 | List *parsetree_list; | ||
69 | ListCell *parsetree_item; | ||
70 | Oid owner_uid; | ||
71 | Oid saved_uid; | ||
72 | int save_sec_context; | ||
73 | + int save_nestlevel; | ||
74 | + char *nsp = namespace_search_path; | ||
75 | AclResult aclresult; | ||
76 | ObjectAddress address; | ||
77 | + StringInfoData pathbuf; | ||
78 | |||
79 | GetUserIdAndSecContext(&saved_uid, &save_sec_context); | ||
80 | |||
81 | @@ -153,14 +156,26 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, | ||
82 | CommandCounterIncrement(); | ||
83 | |||
84 | /* | ||
85 | - * Temporarily make the new namespace be the front of the search path, as | ||
86 | - * well as the default creation target namespace. This will be undone at | ||
87 | - * the end of this routine, or upon error. | ||
88 | + * Prepend the new schema to the current search path. | ||
89 | + * | ||
90 | + * We use the equivalent of a function SET option to allow the setting to | ||
91 | + * persist for exactly the duration of the schema creation. guc.c also | ||
92 | + * takes care of undoing the setting on error. | ||
93 | */ | ||
94 | - overridePath = GetOverrideSearchPath(CurrentMemoryContext); | ||
95 | - overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas); | ||
96 | - /* XXX should we clear overridePath->useTemp? */ | ||
97 | - PushOverrideSearchPath(overridePath); | ||
98 | + save_nestlevel = NewGUCNestLevel(); | ||
99 | + | ||
100 | + initStringInfo(&pathbuf); | ||
101 | + appendStringInfoString(&pathbuf, quote_identifier(schemaName)); | ||
102 | + | ||
103 | + while (scanner_isspace(*nsp)) | ||
104 | + nsp++; | ||
105 | + | ||
106 | + if (*nsp != '\0') | ||
107 | + appendStringInfo(&pathbuf, ", %s", nsp); | ||
108 | + | ||
109 | + (void) set_config_option("search_path", pathbuf.data, | ||
110 | + PGC_USERSET, PGC_S_SESSION, | ||
111 | + GUC_ACTION_SAVE, true, 0, false); | ||
112 | |||
113 | /* | ||
114 | * Report the new schema to possibly interested event triggers. Note we | ||
115 | @@ -213,8 +228,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, | ||
116 | CommandCounterIncrement(); | ||
117 | } | ||
118 | |||
119 | - /* Reset search path to normal state */ | ||
120 | - PopOverrideSearchPath(); | ||
121 | + /* | ||
122 | + * Restore the GUC variable search_path we set above. | ||
123 | + */ | ||
124 | + AtEOXact_GUC(true, save_nestlevel); | ||
125 | |||
126 | /* Reset current user and security context */ | ||
127 | SetUserIdAndSecContext(saved_uid, save_sec_context); | ||
128 | diff --git a/src/test/regress/expected/namespace.out b/src/test/regress/expected/namespace.out | ||
129 | index 2564d1b..a62fd8d 100644 | ||
130 | --- a/src/test/regress/expected/namespace.out | ||
131 | +++ b/src/test/regress/expected/namespace.out | ||
132 | @@ -1,6 +1,14 @@ | ||
133 | -- | ||
134 | -- Regression tests for schemas (namespaces) | ||
135 | -- | ||
136 | +-- set the whitespace-only search_path to test that the | ||
137 | +-- GUC list syntax is preserved during a schema creation | ||
138 | +SELECT pg_catalog.set_config('search_path', ' ', false); | ||
139 | + set_config | ||
140 | +------------ | ||
141 | + | ||
142 | +(1 row) | ||
143 | + | ||
144 | CREATE SCHEMA test_ns_schema_1 | ||
145 | CREATE UNIQUE INDEX abc_a_idx ON abc (a) | ||
146 | CREATE VIEW abc_view AS | ||
147 | @@ -9,6 +17,43 @@ CREATE SCHEMA test_ns_schema_1 | ||
148 | a serial, | ||
149 | b int UNIQUE | ||
150 | ); | ||
151 | +-- verify that the correct search_path restored on abort | ||
152 | +SET search_path to public; | ||
153 | +BEGIN; | ||
154 | +SET search_path to public, test_ns_schema_1; | ||
155 | +CREATE SCHEMA test_ns_schema_2 | ||
156 | + CREATE VIEW abc_view AS SELECT c FROM abc; | ||
157 | +ERROR: column "c" does not exist | ||
158 | +LINE 2: CREATE VIEW abc_view AS SELECT c FROM abc; | ||
159 | + ^ | ||
160 | +COMMIT; | ||
161 | +SHOW search_path; | ||
162 | + search_path | ||
163 | +------------- | ||
164 | + public | ||
165 | +(1 row) | ||
166 | + | ||
167 | +-- verify that the correct search_path preserved | ||
168 | +-- after creating the schema and on commit | ||
169 | +BEGIN; | ||
170 | +SET search_path to public, test_ns_schema_1; | ||
171 | +CREATE SCHEMA test_ns_schema_2 | ||
172 | + CREATE VIEW abc_view AS SELECT a FROM abc; | ||
173 | +SHOW search_path; | ||
174 | + search_path | ||
175 | +-------------------------- | ||
176 | + public, test_ns_schema_1 | ||
177 | +(1 row) | ||
178 | + | ||
179 | +COMMIT; | ||
180 | +SHOW search_path; | ||
181 | + search_path | ||
182 | +-------------------------- | ||
183 | + public, test_ns_schema_1 | ||
184 | +(1 row) | ||
185 | + | ||
186 | +DROP SCHEMA test_ns_schema_2 CASCADE; | ||
187 | +NOTICE: drop cascades to view test_ns_schema_2.abc_view | ||
188 | -- verify that the objects were created | ||
189 | SELECT COUNT(*) FROM pg_class WHERE relnamespace = | ||
190 | (SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1'); | ||
191 | diff --git a/src/test/regress/sql/namespace.sql b/src/test/regress/sql/namespace.sql | ||
192 | index 6b12c96..3474f5e 100644 | ||
193 | --- a/src/test/regress/sql/namespace.sql | ||
194 | +++ b/src/test/regress/sql/namespace.sql | ||
195 | @@ -2,6 +2,10 @@ | ||
196 | -- Regression tests for schemas (namespaces) | ||
197 | -- | ||
198 | |||
199 | +-- set the whitespace-only search_path to test that the | ||
200 | +-- GUC list syntax is preserved during a schema creation | ||
201 | +SELECT pg_catalog.set_config('search_path', ' ', false); | ||
202 | + | ||
203 | CREATE SCHEMA test_ns_schema_1 | ||
204 | CREATE UNIQUE INDEX abc_a_idx ON abc (a) | ||
205 | |||
206 | @@ -13,6 +17,26 @@ CREATE SCHEMA test_ns_schema_1 | ||
207 | b int UNIQUE | ||
208 | ); | ||
209 | |||
210 | +-- verify that the correct search_path restored on abort | ||
211 | +SET search_path to public; | ||
212 | +BEGIN; | ||
213 | +SET search_path to public, test_ns_schema_1; | ||
214 | +CREATE SCHEMA test_ns_schema_2 | ||
215 | + CREATE VIEW abc_view AS SELECT c FROM abc; | ||
216 | +COMMIT; | ||
217 | +SHOW search_path; | ||
218 | + | ||
219 | +-- verify that the correct search_path preserved | ||
220 | +-- after creating the schema and on commit | ||
221 | +BEGIN; | ||
222 | +SET search_path to public, test_ns_schema_1; | ||
223 | +CREATE SCHEMA test_ns_schema_2 | ||
224 | + CREATE VIEW abc_view AS SELECT a FROM abc; | ||
225 | +SHOW search_path; | ||
226 | +COMMIT; | ||
227 | +SHOW search_path; | ||
228 | +DROP SCHEMA test_ns_schema_2 CASCADE; | ||
229 | + | ||
230 | -- verify that the objects were created | ||
231 | SELECT COUNT(*) FROM pg_class WHERE relnamespace = | ||
232 | (SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1'); | ||
233 | -- | ||
234 | 2.25.1 | ||
235 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch deleted file mode 100644 index b0bf2dbf2..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch +++ /dev/null | |||
@@ -1,118 +0,0 @@ | |||
1 | From 473626cf00babd829eb15c36b51dfb358d32bc95 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tom Lane <tgl@sss.pgh.pa.us> | ||
3 | Date: Mon, 8 May 2023 10:12:45 -0400 | ||
4 | Subject: [PATCH] Handle RLS dependencies in inlined set-returning functions | ||
5 | properly. | ||
6 | |||
7 | If an SRF in the FROM clause references a table having row-level | ||
8 | security policies, and we inline that SRF into the calling query, | ||
9 | we neglected to mark the plan as potentially dependent on which | ||
10 | role is executing it. This could lead to later executions in the | ||
11 | same session returning or hiding rows that should have been hidden | ||
12 | or returned instead. | ||
13 | |||
14 | Our thanks to Wolfgang Walther for reporting this problem. | ||
15 | |||
16 | Stephen Frost and Tom Lane | ||
17 | |||
18 | Security: CVE-2023-2455 | ||
19 | |||
20 | Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=473626cf00babd829eb15c36b51dfb358d32bc95] | ||
21 | CVE: CVE-2023-2455 | ||
22 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
23 | --- | ||
24 | src/backend/optimizer/util/clauses.c | 7 ++++++ | ||
25 | src/test/regress/expected/rowsecurity.out | 27 +++++++++++++++++++++++ | ||
26 | src/test/regress/sql/rowsecurity.sql | 20 +++++++++++++++++ | ||
27 | 3 files changed, 54 insertions(+) | ||
28 | |||
29 | diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c | ||
30 | index 946e232..b8e469f 100644 | ||
31 | --- a/src/backend/optimizer/util/clauses.c | ||
32 | +++ b/src/backend/optimizer/util/clauses.c | ||
33 | @@ -5142,6 +5142,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte) | ||
34 | */ | ||
35 | record_plan_function_dependency(root, func_oid); | ||
36 | |||
37 | + /* | ||
38 | + * We must also notice if the inserted query adds a dependency on the | ||
39 | + * calling role due to RLS quals. | ||
40 | + */ | ||
41 | + if (querytree->hasRowSecurity) | ||
42 | + root->glob->dependsOnRole = true; | ||
43 | + | ||
44 | return querytree; | ||
45 | |||
46 | /* Here if func is not inlinable: release temp memory and return NULL */ | ||
47 | diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out | ||
48 | index 5116e23..26eecd0 100644 | ||
49 | --- a/src/test/regress/expected/rowsecurity.out | ||
50 | +++ b/src/test/regress/expected/rowsecurity.out | ||
51 | @@ -4001,6 +4001,33 @@ SELECT * FROM rls_tbl; | ||
52 | |||
53 | DROP TABLE rls_tbl; | ||
54 | RESET SESSION AUTHORIZATION; | ||
55 | +-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency | ||
56 | +create table rls_t (c text); | ||
57 | +insert into rls_t values ('invisible to bob'); | ||
58 | +alter table rls_t enable row level security; | ||
59 | +grant select on rls_t to regress_rls_alice, regress_rls_bob; | ||
60 | +create policy p1 on rls_t for select to regress_rls_alice using (true); | ||
61 | +create policy p2 on rls_t for select to regress_rls_bob using (false); | ||
62 | +create function rls_f () returns setof rls_t | ||
63 | + stable language sql | ||
64 | + as $$ select * from rls_t $$; | ||
65 | +prepare q as select current_user, * from rls_f(); | ||
66 | +set role regress_rls_alice; | ||
67 | +execute q; | ||
68 | + current_user | c | ||
69 | +-------------------+------------------ | ||
70 | + regress_rls_alice | invisible to bob | ||
71 | +(1 row) | ||
72 | + | ||
73 | +set role regress_rls_bob; | ||
74 | +execute q; | ||
75 | + current_user | c | ||
76 | +--------------+--- | ||
77 | +(0 rows) | ||
78 | + | ||
79 | +RESET ROLE; | ||
80 | +DROP FUNCTION rls_f(); | ||
81 | +DROP TABLE rls_t; | ||
82 | -- | ||
83 | -- Clean up objects | ||
84 | -- | ||
85 | diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql | ||
86 | index 178eeb0..83d99e3 100644 | ||
87 | --- a/src/test/regress/sql/rowsecurity.sql | ||
88 | +++ b/src/test/regress/sql/rowsecurity.sql | ||
89 | @@ -1839,6 +1839,26 @@ SELECT * FROM rls_tbl; | ||
90 | DROP TABLE rls_tbl; | ||
91 | RESET SESSION AUTHORIZATION; | ||
92 | |||
93 | +-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency | ||
94 | +create table rls_t (c text); | ||
95 | +insert into rls_t values ('invisible to bob'); | ||
96 | +alter table rls_t enable row level security; | ||
97 | +grant select on rls_t to regress_rls_alice, regress_rls_bob; | ||
98 | +create policy p1 on rls_t for select to regress_rls_alice using (true); | ||
99 | +create policy p2 on rls_t for select to regress_rls_bob using (false); | ||
100 | +create function rls_f () returns setof rls_t | ||
101 | + stable language sql | ||
102 | + as $$ select * from rls_t $$; | ||
103 | +prepare q as select current_user, * from rls_f(); | ||
104 | +set role regress_rls_alice; | ||
105 | +execute q; | ||
106 | +set role regress_rls_bob; | ||
107 | +execute q; | ||
108 | + | ||
109 | +RESET ROLE; | ||
110 | +DROP FUNCTION rls_f(); | ||
111 | +DROP TABLE rls_t; | ||
112 | + | ||
113 | -- | ||
114 | -- Clean up objects | ||
115 | -- | ||
116 | -- | ||
117 | 2.25.1 | ||
118 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch deleted file mode 100644 index 92a3dcc71..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | Remove duplicate code for riscv | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
5 | |||
6 | --- a/src/include/storage/s_lock.h | ||
7 | +++ b/src/include/storage/s_lock.h | ||
8 | @@ -341,30 +341,6 @@ tas(volatile slock_t *lock) | ||
9 | #endif /* HAVE_GCC__SYNC_INT32_TAS */ | ||
10 | #endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */ | ||
11 | |||
12 | - | ||
13 | -/* | ||
14 | - * RISC-V likewise uses __sync_lock_test_and_set(int *, int) if available. | ||
15 | - */ | ||
16 | -#if defined(__riscv) | ||
17 | -#ifdef HAVE_GCC__SYNC_INT32_TAS | ||
18 | -#define HAS_TEST_AND_SET | ||
19 | - | ||
20 | -#define TAS(lock) tas(lock) | ||
21 | - | ||
22 | -typedef int slock_t; | ||
23 | - | ||
24 | -static __inline__ int | ||
25 | -tas(volatile slock_t *lock) | ||
26 | -{ | ||
27 | - return __sync_lock_test_and_set(lock, 1); | ||
28 | -} | ||
29 | - | ||
30 | -#define S_UNLOCK(lock) __sync_lock_release(lock) | ||
31 | - | ||
32 | -#endif /* HAVE_GCC__SYNC_INT32_TAS */ | ||
33 | -#endif /* __riscv */ | ||
34 | - | ||
35 | - | ||
36 | /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ | ||
37 | #if defined(__s390__) || defined(__s390x__) | ||
38 | #define HAS_TEST_AND_SET | ||
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.16.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.16.bb new file mode 100644 index 000000000..134826220 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.16.bb | |||
@@ -0,0 +1,11 @@ | |||
1 | require postgresql.inc | ||
2 | |||
3 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c31f662bb2bfb3b4187fe9a53e0ffe7c" | ||
4 | |||
5 | SRC_URI += "\ | ||
6 | file://not-check-libperl.patch \ | ||
7 | file://0001-Add-support-for-RISC-V.patch \ | ||
8 | file://0001-Improve-reproducibility.patch \ | ||
9 | " | ||
10 | |||
11 | SRC_URI[sha256sum] = "c5f1fff7a0f93e1ec3746417b0594290ece617b4995ed95b8d527af0ba0e38f3" | ||
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb deleted file mode 100644 index a32701cd8..000000000 --- a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb +++ /dev/null | |||
@@ -1,17 +0,0 @@ | |||
1 | require postgresql.inc | ||
2 | |||
3 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=255f15687738db8068fbe9b938c90217" | ||
4 | |||
5 | SRC_URI += "\ | ||
6 | file://not-check-libperl.patch \ | ||
7 | file://0001-Add-support-for-RISC-V.patch \ | ||
8 | file://0001-Improve-reproducibility.patch \ | ||
9 | file://remove_duplicate.patch \ | ||
10 | file://CVE-2022-1552.patch \ | ||
11 | file://CVE-2022-2625.patch \ | ||
12 | file://CVE-2022-41862.patch \ | ||
13 | file://CVE-2023-2454.patch \ | ||
14 | file://CVE-2023-2455.patch \ | ||
15 | " | ||
16 | |||
17 | SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce" | ||