Prevent privilege escalation in explicit calls to PL validators. The primary role of PL validators is to be called implicitly during CREATE FUNCTION, but they are also normal functions that a user can call explicitly. Add a permissions check to each validator to ensure that a user cannot use explicit validator calls to achieve things he could not otherwise achieve. Back-patch to 8.4 (all supported versions). Non-core procedural language extensions ought to make the same two-line change to their own validators.
Andres Freund, reviewed by Tom Lane and Noah Misch. Security: CVE-2014-0061 Branch ------ REL9_0_STABLE Details ------- http://git.postgresql.org/pg/commitdiff/c0ac4c75ff048b8ff6d8436946e9c414c2b64f94 Modified Files -------------- doc/src/sgml/plhandler.sgml | 5 ++- src/backend/catalog/pg_proc.c | 9 ++++ src/backend/commands/functioncmds.c | 1 - src/backend/utils/fmgr/fmgr.c | 84 +++++++++++++++++++++++++++++++++++ src/include/fmgr.h | 1 + src/pl/plperl/plperl.c | 3 ++ src/pl/plpgsql/src/pl_handler.c | 3 ++ 7 files changed, 104 insertions(+), 2 deletions(-) -- Sent via pgsql-committers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
