Prevent privilege escalation in explicit calls to PL validators. The primary role of PL validators is to be called implicitly during CREATE FUNCTION, but they are also normal functions that a user can call explicitly. Add a permissions check to each validator to ensure that a user cannot use explicit validator calls to achieve things he could not otherwise achieve. Back-patch to 8.4 (all supported versions). Non-core procedural language extensions ought to make the same two-line change to their own validators.
Andres Freund, reviewed by Tom Lane and Noah Misch. Security: CVE-2014-0061 Branch ------ REL8_4_STABLE Details ------- http://git.postgresql.org/pg/commitdiff/823b9dc2566dbdbdab3c08b83adb64eb428b8ca5 Modified Files -------------- src/backend/catalog/pg_proc.c | 9 ++++ src/backend/commands/functioncmds.c | 1 - src/backend/utils/fmgr/fmgr.c | 85 +++++++++++++++++++++++++++++++++++ src/include/fmgr.h | 1 + src/pl/plperl/plperl.c | 3 ++ src/pl/plpgsql/src/pl_handler.c | 3 ++ 6 files changed, 101 insertions(+), 1 deletion(-) -- Sent via pgsql-committers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
