43 lines
1.7 KiB
Diff
43 lines
1.7 KiB
Diff
From b048f558dd7c26a0c630a2cff29d3d8981eaf6b9 Mon Sep 17 00:00:00 2001
|
|
From: Alvaro Herrera <alvherre@alvh.no-ip.org>
|
|
Date: Mon, 10 Feb 2020 11:47:09 -0300
|
|
Subject: [PATCH] Fix priv checks for ALTER <object> DEPENDS ON EXTENSION
|
|
|
|
Marking an object as dependant on an extension did not have any
|
|
privilege check whatsoever; this allowed any user to mark objects as
|
|
droppable by anyone able to DROP EXTENSION, which could be used to cause
|
|
system-wide havoc. Disallow by checking that the calling user owns the
|
|
mentioned object.
|
|
|
|
(No constraints are placed on the extension.)
|
|
|
|
Security: CVE-2020-1720
|
|
Reported-by: Tom Lane
|
|
Discussion: 31605.1566429043@sss.pgh.pa.us
|
|
---
|
|
src/backend/commands/alter.c | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
|
|
index fca85ba2c17f..1cb84182b05f 100644
|
|
--- a/src/backend/commands/alter.c
|
|
+++ b/src/backend/commands/alter.c
|
|
@@ -430,6 +430,17 @@ ExecAlterObjectDependsStmt(AlterObjectDependsStmt *stmt, ObjectAddress *refAddre
|
|
get_object_address_rv(stmt->objectType, stmt->relation, (List *) stmt->object,
|
|
&rel, AccessExclusiveLock, false);
|
|
|
|
+ /*
|
|
+ * Verify that the user is entitled to run the command.
|
|
+ *
|
|
+ * We don't check any privileges on the extension, because that's not
|
|
+ * needed. The object owner is stipulating, by running this command, that
|
|
+ * the extension owner can drop the object whenever they feel like it,
|
|
+ * which is not considered a problem.
|
|
+ */
|
|
+ check_object_ownership(GetUserId(),
|
|
+ stmt->objectType, address, stmt->object, rel);
|
|
+
|
|
/*
|
|
* If a relation was involved, it would have been opened and locked. We
|
|
* don't need the relation here, but we'll retain the lock until commit.
|