For publication schemas (OBJECT_PUBLICATION_NAMESPACE) and user
mappings (OBJECT_USER_MAPPING), pg_get_object_address() checked the
array length of the second argument, but not of the first argument.
If the first argument was too long, it would just silently ignore
everything but the first argument. Fix that by checking the length of
the first argument as well.
I wouldn't be surprised if there were more holes like this in this area.
I just happened to find these while working on something related.From eb80c87a083464160a1436e5f983df840b282085 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Tue, 20 Sep 2022 13:37:27 -0400
Subject: [PATCH] Tighten pg_get_object_address argument checking
For publication schemas (OBJECT_PUBLICATION_NAMESPACE) and user
mappings (OBJECT_USER_MAPPING), pg_get_object_address() checked the
array length of the second argument, but not of the first argument.
If the first argument was too long, it would just silently ignore
everything but the first argument. Fix that by checking the length of
the first argument as well.
---
src/backend/catalog/objectaddress.c | 10 ++++++++--
src/test/regress/expected/object_address.out | 16 +++++++++++-----
src/test/regress/sql/object_address.sql | 2 +-
3 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/src/backend/catalog/objectaddress.c
b/src/backend/catalog/objectaddress.c
index 8377b4f7d4d1..27616ac2ad26 100644
--- a/src/backend/catalog/objectaddress.c
+++ b/src/backend/catalog/objectaddress.c
@@ -2239,10 +2239,16 @@ pg_get_object_address(PG_FUNCTION_ARGS)
*/
switch (type)
{
+ case OBJECT_PUBLICATION_NAMESPACE:
+ case OBJECT_USER_MAPPING:
+ if (list_length(name) != 1)
+ ereport(ERROR,
+
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("name list length must
be exactly %d", 1)));
+ /* fall through to check args length */
+ /* FALLTHROUGH */
case OBJECT_DOMCONSTRAINT:
case OBJECT_CAST:
- case OBJECT_USER_MAPPING:
- case OBJECT_PUBLICATION_NAMESPACE:
case OBJECT_PUBLICATION_REL:
case OBJECT_DEFACL:
case OBJECT_TRANSFORM:
diff --git a/src/test/regress/expected/object_address.out
b/src/test/regress/expected/object_address.out
index 4117fc27c9a5..cbb99c7b9f94 100644
--- a/src/test/regress/expected/object_address.out
+++ b/src/test/regress/expected/object_address.out
@@ -105,7 +105,7 @@ BEGIN
('text search template'), ('text search configuration'),
('policy'), ('user mapping'), ('default acl'), ('transform'),
('operator of access method'), ('function of access method'),
- ('publication relation')
+ ('publication namespace'), ('publication relation')
LOOP
FOR names IN VALUES ('{eins}'), ('{addr_nsp, zwei}'), ('{eins,
zwei, drei}')
LOOP
@@ -285,10 +285,10 @@ WARNING: error for policy,{eins,zwei,drei},{}: schema
"eins" does not exist
WARNING: error for policy,{eins,zwei,drei},{integer}: schema "eins" does not
exist
WARNING: error for user mapping,{eins},{}: argument list length must be
exactly 1
WARNING: error for user mapping,{eins},{integer}: user mapping for user
"eins" on server "integer" does not exist
-WARNING: error for user mapping,{addr_nsp,zwei},{}: argument list length must
be exactly 1
-WARNING: error for user mapping,{addr_nsp,zwei},{integer}: user mapping for
user "addr_nsp" on server "integer" does not exist
-WARNING: error for user mapping,{eins,zwei,drei},{}: argument list length
must be exactly 1
-WARNING: error for user mapping,{eins,zwei,drei},{integer}: user mapping for
user "eins" on server "integer" does not exist
+WARNING: error for user mapping,{addr_nsp,zwei},{}: name list length must be
exactly 1
+WARNING: error for user mapping,{addr_nsp,zwei},{integer}: name list length
must be exactly 1
+WARNING: error for user mapping,{eins,zwei,drei},{}: name list length must be
exactly 1
+WARNING: error for user mapping,{eins,zwei,drei},{integer}: name list length
must be exactly 1
WARNING: error for default acl,{eins},{}: argument list length must be
exactly 1
WARNING: error for default acl,{eins},{integer}: unrecognized default ACL
object type "i"
WARNING: error for default acl,{addr_nsp,zwei},{}: argument list length must
be exactly 1
@@ -313,6 +313,12 @@ WARNING: error for function of access
method,{addr_nsp,zwei},{}: name list leng
WARNING: error for function of access method,{addr_nsp,zwei},{integer}: name
list length must be at least 3
WARNING: error for function of access method,{eins,zwei,drei},{}: argument
list length must be exactly 2
WARNING: error for function of access method,{eins,zwei,drei},{integer}:
argument list length must be exactly 2
+WARNING: error for publication namespace,{eins},{}: argument list length must
be exactly 1
+WARNING: error for publication namespace,{eins},{integer}: schema "eins" does
not exist
+WARNING: error for publication namespace,{addr_nsp,zwei},{}: name list length
must be exactly 1
+WARNING: error for publication namespace,{addr_nsp,zwei},{integer}: name list
length must be exactly 1
+WARNING: error for publication namespace,{eins,zwei,drei},{}: name list
length must be exactly 1
+WARNING: error for publication namespace,{eins,zwei,drei},{integer}: name
list length must be exactly 1
WARNING: error for publication relation,{eins},{}: argument list length must
be exactly 1
WARNING: error for publication relation,{eins},{integer}: relation "eins"
does not exist
WARNING: error for publication relation,{addr_nsp,zwei},{}: argument list
length must be exactly 1
diff --git a/src/test/regress/sql/object_address.sql
b/src/test/regress/sql/object_address.sql
index acd0468a9d9f..8cae20c0f582 100644
--- a/src/test/regress/sql/object_address.sql
+++ b/src/test/regress/sql/object_address.sql
@@ -98,7 +98,7 @@ CREATE STATISTICS addr_nsp.gentable_stat ON a, b FROM
addr_nsp.gentable;
('text search template'), ('text search configuration'),
('policy'), ('user mapping'), ('default acl'), ('transform'),
('operator of access method'), ('function of access method'),
- ('publication relation')
+ ('publication namespace'), ('publication relation')
LOOP
FOR names IN VALUES ('{eins}'), ('{addr_nsp, zwei}'), ('{eins,
zwei, drei}')
LOOP
--
2.37.3
