Hi! On Fri, Aug 30, 2024 at 11:43 AM Dmitry Koval <d.ko...@postgrespro.ru> wrote: > I plan to prepare fixes for issues from email [1] as separate commits > (for better code readability). Attachment in this email is a variant of > fix for the issue: > > > 1. Function createPartitionTable() should be rewritten using > > partitioned table OID (not name) and without using ProcessUtility(). > > Patch "Refactor createPartitionTable to remove ProcessUtility call" > contains code changes + test (see file > v33-0003-Refactor-createPartitionTable-to-remove-ProcessU.patch). > > But I'm not sure that refactoring createPartitionTable is the best > solution. PostgreSQL code has issue CVE-2014-0062 (commit 5f17304) - see > relation_openrv() call in expandTableLikeClause() function [2] (opening > relation by name after we got relation Oid). > Example for reproduce relation_openrv() call: > > CREATE TABLE t (b bigint, i int DEFAULT 100); > CREATE TABLE t1 (LIKE t_bigint INCLUDING ALL); > > Commit 04158e7fa3 [3] (by Alexander Korotkov) might be a good fix for > this issue. But if we keep commit 04158e7fa3, do we need to refactor the > createPartitionTable function (for removing ProcessUtility)? > Perhaps the existing code > 1) v33-0002-Implement-ALTER-TABLE-.-SPLIT-PARTITION-.-comman.patch > 2) v33-0003-Refactor-createPartitionTable-to-remove-ProcessU.patch + > with patch 04158e7fa3 will look better. > > > I would be very grateful for comments and suggestions.
Thank you for continuing your work on the subject. The patches currently doesn't apply cleanly. Please, rebase. I think getting away from expandTableLikeClause() is the right direction to resolve the security problems. That looks great, it finally not as complex as I thought. I think the code requires some polishing: you need to revise the comments given its not part of LIKE clause handling anymore. I see fixes for the issues mentioned in [1] and [2] are still not implemented. Do you plan to do this in this release cycle? Links. 1. https://www.postgresql.org/message-id/CA%2BTgmoY0%3DbT_xBP8csR%3DMFE%3DFxGE2n2-me2-31jBOgEcLvW7ug%40mail.gmail.com 2. https://www.postgresql.org/message-id/859476bf-3cb0-455e-b093-b8ab5ef17f0e%40postgrespro.ru ------ Regards, Alexander Korotkov Supabase
