In REFRESH MATERIALIZED VIEW, set user ID before running user code. It intended to, but did not, achieve this. Adopt the new standard of setting user ID just after locking the relation. Back-patch to v10 (all supported versions).
Reviewed by Simon Riggs. Reported by Alvaro Herrera. Security: CVE-2022-1552 Branch ------ REL_11_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/34ff15660b4f752e3941d661c3896fd96b1571f9 Modified Files -------------- src/backend/commands/matview.c | 30 +++++++++++------------------- src/test/regress/expected/privileges.out | 16 ++++++++++++++++ src/test/regress/sql/privileges.sql | 17 +++++++++++++++++ 3 files changed, 44 insertions(+), 19 deletions(-)
