Skip to content

Commit 52a4143

Browse files
tglsfdctglsfdc
committed
Require update permission for the large object written by lo_put().
lo_put() surely should require UPDATE permission, the same as lowrite(), but it failed to check for that, as reported by Chapman Flack. Oversight in commit c50b7c0; backpatch to 9.4 where that was introduced. Tom Lane and Michael Paquier Security: CVE-2017-7548
1 parent 1560996 commit 52a4143

File tree

3 files changed

+26
-0
lines changed

3 files changed

+26
-0
lines changed

src/backend/libpq/be-fsstubs.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -896,6 +896,18 @@ lo_put(PG_FUNCTION_ARGS)
896896
CreateFSContext();
897897

898898
loDesc = inv_open(loOid, INV_WRITE, fscxt);
899+
900+
/* Permission check */
901+
if (!lo_compat_privileges &&
902+
pg_largeobject_aclcheck_snapshot(loDesc->id,
903+
GetUserId(),
904+
ACL_UPDATE,
905+
loDesc->snapshot) != ACLCHECK_OK)
906+
ereport(ERROR,
907+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
908+
errmsg("permission denied for large object %u",
909+
loDesc->id)));
910+
899911
inv_seek(loDesc, offset, SEEK_SET);
900912
written = inv_write(loDesc, VARDATA_ANY(str), VARSIZE_ANY_EXHDR(str));
901913
Assert(written == VARSIZE_ANY_EXHDR(str));

src/test/regress/expected/privileges.out

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1219,6 +1219,14 @@ SELECT lo_create(2002);
12191219
2002
12201220
(1 row)
12211221

1222+
SELECT loread(lo_open(1001, x'20000'::int), 32); -- allowed, for now
1223+
loread
1224+
--------
1225+
\x
1226+
(1 row)
1227+
1228+
SELECT lowrite(lo_open(1001, x'40000'::int), 'abcd'); -- fail, wrong mode
1229+
ERROR: large object descriptor 0 was not opened for writing
12221230
SELECT loread(lo_open(1001, x'40000'::int), 32);
12231231
loread
12241232
--------
@@ -1314,6 +1322,8 @@ SELECT lowrite(lo_open(1002, x'20000'::int), 'abcd'); -- to be denied
13141322
ERROR: permission denied for large object 1002
13151323
SELECT lo_truncate(lo_open(1002, x'20000'::int), 10); -- to be denied
13161324
ERROR: permission denied for large object 1002
1325+
SELECT lo_put(1002, 1, 'abcd'); -- to be denied
1326+
ERROR: permission denied for large object 1002
13171327
SELECT lo_unlink(1002); -- to be denied
13181328
ERROR: must be owner of large object 1002
13191329
SELECT lo_export(1001, '/dev/null'); -- to be denied

src/test/regress/sql/privileges.sql

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -770,6 +770,9 @@ SET SESSION AUTHORIZATION regress_user2;
770770
SELECT lo_create(2001);
771771
SELECT lo_create(2002);
772772

773+
SELECT loread(lo_open(1001, x'20000'::int), 32); -- allowed, for now
774+
SELECT lowrite(lo_open(1001, x'40000'::int), 'abcd'); -- fail, wrong mode
775+
773776
SELECT loread(lo_open(1001, x'40000'::int), 32);
774777
SELECT loread(lo_open(1002, x'40000'::int), 32); -- to be denied
775778
SELECT loread(lo_open(1003, x'40000'::int), 32);
@@ -809,6 +812,7 @@ SET SESSION AUTHORIZATION regress_user4;
809812
SELECT loread(lo_open(1002, x'40000'::int), 32); -- to be denied
810813
SELECT lowrite(lo_open(1002, x'20000'::int), 'abcd'); -- to be denied
811814
SELECT lo_truncate(lo_open(1002, x'20000'::int), 10); -- to be denied
815+
SELECT lo_put(1002, 1, 'abcd'); -- to be denied
812816
SELECT lo_unlink(1002); -- to be denied
813817
SELECT lo_export(1001, '/dev/null'); -- to be denied
814818

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy