Prevent privilege escalation in explicit calls to PL validators.
The primary role of PL validators is to be called implicitly during
CREATE FUNCTION, but they are also normal functions that a user can call
explicitly. Add a permissions check to each validator to ensure that a
user cannot use explicit validator calls to achieve things he could not
otherwise achieve. Back-patch to 8.4 (all supported versions).
Non-core procedural language extensions ought to make the same two-line
change to their own validators.
Andres Freund, reviewed by Tom Lane and Noah Misch.
Security: CVE-2014-0061
Branch
------
REL9_2_STABLE
Details
-------
http://git.postgresql.org/pg/commitdiff/1d701d28a796ea2d1a4d2be9e9ee06209eaea040
Modified Files
--------------
doc/src/sgml/plhandler.sgml | 5 ++-
src/backend/catalog/pg_proc.c | 9 ++++
src/backend/commands/functioncmds.c | 1 -
src/backend/utils/fmgr/fmgr.c | 84 +++++++++++++++++++++++++++++++++++
src/include/fmgr.h | 1 +
src/pl/plperl/plperl.c | 4 ++
src/pl/plpgsql/src/pl_handler.c | 3 ++
src/pl/plpython/plpy_main.c | 4 ++
8 files changed, 109 insertions(+), 2 deletions(-)
