diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2017-08-07 10:19:01 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2017-08-07 10:19:22 -0400 |
| commit | f1cda6d6cbb2b551331802cab57957fa5307cf2c (patch) | |
| tree | 7da145bc52d84c8413028bb7a5a2f56b7476359e | |
| parent | b6e39ca92eeee4e5fa0e83ce3e04dad82559983f (diff) | |
| download | postgresql-f1cda6d6cbb2b551331802cab57957fa5307cf2c.tar.gz postgresql-f1cda6d6cbb2b551331802cab57957fa5307cf2c.zip | |
Require update permission for the large object written by lo_put().
lo_put() surely should require UPDATE permission, the same as lowrite(),
but it failed to check for that, as reported by Chapman Flack. Oversight
in commit c50b7c09d; backpatch to 9.4 where that was introduced.
Tom Lane and Michael Paquier
Security: CVE-2017-7548
| -rw-r--r-- | src/backend/libpq/be-fsstubs.c | 12 | ||||
| -rw-r--r-- | src/test/regress/expected/privileges.out | 10 | ||||
| -rw-r--r-- | src/test/regress/sql/privileges.sql | 4 |
3 files changed, 26 insertions, 0 deletions
diff --git a/src/backend/libpq/be-fsstubs.c b/src/backend/libpq/be-fsstubs.c index 52bac4337d3..bcc90b9be2a 100644 --- a/src/backend/libpq/be-fsstubs.c +++ b/src/backend/libpq/be-fsstubs.c @@ -898,6 +898,18 @@ lo_put(PG_FUNCTION_ARGS) CreateFSContext(); loDesc = inv_open(loOid, INV_WRITE, fscxt); + + /* Permission check */ + if (!lo_compat_privileges && + pg_largeobject_aclcheck_snapshot(loDesc->id, + GetUserId(), + ACL_UPDATE, + loDesc->snapshot) != ACLCHECK_OK) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied for large object %u", + loDesc->id))); + inv_seek(loDesc, offset, SEEK_SET); written = inv_write(loDesc, VARDATA_ANY(str), VARSIZE_ANY_EXHDR(str)); Assert(written == VARSIZE_ANY_EXHDR(str)); diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out index 1e630684f6d..3234c02438c 100644 --- a/src/test/regress/expected/privileges.out +++ b/src/test/regress/expected/privileges.out @@ -1189,6 +1189,14 @@ SELECT lo_create(2002); 2002 (1 row) +SELECT loread(lo_open(1001, x'20000'::int), 32); -- allowed, for now + loread +-------- + \x +(1 row) + +SELECT lowrite(lo_open(1001, x'40000'::int), 'abcd'); -- fail, wrong mode +ERROR: large object descriptor 0 was not opened for writing SELECT loread(lo_open(1001, x'40000'::int), 32); loread -------- @@ -1284,6 +1292,8 @@ SELECT lowrite(lo_open(1002, x'20000'::int), 'abcd'); -- to be denied ERROR: permission denied for large object 1002 SELECT lo_truncate(lo_open(1002, x'20000'::int), 10); -- to be denied ERROR: permission denied for large object 1002 +SELECT lo_put(1002, 1, 'abcd'); -- to be denied +ERROR: permission denied for large object 1002 SELECT lo_unlink(1002); -- to be denied ERROR: must be owner of large object 1002 SELECT lo_export(1001, '/dev/null'); -- to be denied diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql index 099b095790d..8695607747b 100644 --- a/src/test/regress/sql/privileges.sql +++ b/src/test/regress/sql/privileges.sql @@ -753,6 +753,9 @@ SET SESSION AUTHORIZATION regressuser2; SELECT lo_create(2001); SELECT lo_create(2002); +SELECT loread(lo_open(1001, x'20000'::int), 32); -- allowed, for now +SELECT lowrite(lo_open(1001, x'40000'::int), 'abcd'); -- fail, wrong mode + SELECT loread(lo_open(1001, x'40000'::int), 32); SELECT loread(lo_open(1002, x'40000'::int), 32); -- to be denied SELECT loread(lo_open(1003, x'40000'::int), 32); @@ -792,6 +795,7 @@ SET SESSION AUTHORIZATION regressuser4; SELECT loread(lo_open(1002, x'40000'::int), 32); -- to be denied SELECT lowrite(lo_open(1002, x'20000'::int), 'abcd'); -- to be denied SELECT lo_truncate(lo_open(1002, x'20000'::int), 10); -- to be denied +SELECT lo_put(1002, 1, 'abcd'); -- to be denied SELECT lo_unlink(1002); -- to be denied SELECT lo_export(1001, '/dev/null'); -- to be denied |