Skip to content

Commit 880511c

Browse files
nmischnmisch
committed
In REFRESH MATERIALIZED VIEW, set user ID before running user code.
It intended to, but did not, achieve this. Adopt the new standard of setting user ID just after locking the relation. Back-patch to v10 (all supported versions). Reviewed by Simon Riggs. Reported by Alvaro Herrera. Security: CVE-2022-1552
1 parent 7f098f7 commit 880511c

File tree

3 files changed

+44
-19
lines changed

3 files changed

+44
-19
lines changed

src/backend/commands/matview.c

Lines changed: 11 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,17 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
167167
lockmode, 0,
168168
RangeVarCallbackOwnsTable, NULL);
169169
matviewRel = table_open(matviewOid, NoLock);
170+
relowner = matviewRel->rd_rel->relowner;
171+
172+
/*
173+
* Switch to the owner's userid, so that any functions are run as that
174+
* user. Also lock down security-restricted operations and arrange to
175+
* make GUC variable changes local to this command.
176+
*/
177+
GetUserIdAndSecContext(&save_userid, &save_sec_context);
178+
SetUserIdAndSecContext(relowner,
179+
save_sec_context | SECURITY_RESTRICTED_OPERATION);
180+
save_nestlevel = NewGUCNestLevel();
170181

171182
/* Make sure it is a materialized view. */
172183
if (matviewRel->rd_rel->relkind != RELKIND_MATVIEW)
@@ -268,19 +279,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
268279
*/
269280
SetMatViewPopulatedState(matviewRel, !stmt->skipData);
270281

271-
relowner = matviewRel->rd_rel->relowner;
272-
273-
/*
274-
* Switch to the owner's userid, so that any functions are run as that
275-
* user. Also arrange to make GUC variable changes local to this command.
276-
* Don't lock it down too tight to create a temporary table just yet. We
277-
* will switch modes when we are about to execute user code.
278-
*/
279-
GetUserIdAndSecContext(&save_userid, &save_sec_context);
280-
SetUserIdAndSecContext(relowner,
281-
save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
282-
save_nestlevel = NewGUCNestLevel();
283-
284282
/* Concurrent refresh builds new data in temp tablespace, and does diff. */
285283
if (concurrent)
286284
{
@@ -303,12 +301,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
303301
LockRelationOid(OIDNewHeap, AccessExclusiveLock);
304302
dest = CreateTransientRelDestReceiver(OIDNewHeap);
305303

306-
/*
307-
* Now lock down security-restricted operations.
308-
*/
309-
SetUserIdAndSecContext(relowner,
310-
save_sec_context | SECURITY_RESTRICTED_OPERATION);
311-
312304
/* Generate the data, if wanted. */
313305
if (!stmt->skipData)
314306
processed = refresh_matview_datafill(dest, dataQuery, queryString);

src/test/regress/expected/privileges.out

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1431,6 +1431,22 @@ CONTEXT: SQL function "unwanted_grant" statement 1
14311431
SQL statement "SELECT unwanted_grant()"
14321432
PL/pgSQL function sro_trojan() line 1 at PERFORM
14331433
SQL function "mv_action" statement 1
1434+
-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()
1435+
SET SESSION AUTHORIZATION regress_sro_user;
1436+
CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int
1437+
IMMUTABLE LANGUAGE plpgsql AS $$
1438+
BEGIN
1439+
PERFORM unwanted_grant();
1440+
RAISE WARNING 'owned';
1441+
RETURN 1;
1442+
EXCEPTION WHEN OTHERS THEN
1443+
RETURN 2;
1444+
END$$;
1445+
CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c;
1446+
CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0;
1447+
\c -
1448+
REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv;
1449+
REFRESH MATERIALIZED VIEW sro_index_mv;
14341450
DROP OWNED BY regress_sro_user;
14351451
DROP ROLE regress_sro_user;
14361452
-- Admin options

src/test/regress/sql/privileges.sql

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -899,6 +899,23 @@ REFRESH MATERIALIZED VIEW sro_mv;
899899
REFRESH MATERIALIZED VIEW sro_mv;
900900
BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT;
901901

902+
-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()
903+
SET SESSION AUTHORIZATION regress_sro_user;
904+
CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int
905+
IMMUTABLE LANGUAGE plpgsql AS $$
906+
BEGIN
907+
PERFORM unwanted_grant();
908+
RAISE WARNING 'owned';
909+
RETURN 1;
910+
EXCEPTION WHEN OTHERS THEN
911+
RETURN 2;
912+
END$$;
913+
CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c;
914+
CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0;
915+
\c -
916+
REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv;
917+
REFRESH MATERIALIZED VIEW sro_index_mv;
918+
902919
DROP OWNED BY regress_sro_user;
903920
DROP ROLE regress_sro_user;
904921

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy