diff options
| author | Stephen Frost <sfrost@snowman.net> | 2015-01-12 17:04:11 -0500 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2015-01-28 12:32:06 -0500 |
| commit | 3cc74a3d61f26e6558ee662b6700f74962bd1d8b (patch) | |
| tree | f65fae680eaf9f47c241d9eacc578443ff416f5f /src/backend/commands/copy.c | |
| parent | 3d5e857ab1ed7dbac28e6c0aea580d1dfb9dc9ed (diff) | |
| download | postgresql-3cc74a3d61f26e6558ee662b6700f74962bd1d8b.tar.gz postgresql-3cc74a3d61f26e6558ee662b6700f74962bd1d8b.zip | |
Fix column-privilege leak in error-message paths
While building error messages to return to the user,
BuildIndexValueDescription, ExecBuildSlotValueDescription and
ri_ReportViolation would happily include the entire key or entire row in
the result returned to the user, even if the user didn't have access to
view all of the columns being included.
Instead, include only those columns which the user is providing or which
the user has select rights on. If the user does not have any rights
to view the table or any of the columns involved then no detail is
provided and a NULL value is returned from BuildIndexValueDescription
and ExecBuildSlotValueDescription. Note that, for key cases, the user
must have access to all of the columns for the key to be shown; a
partial key will not be returned.
Back-patch all the way, as column-level privileges are now in all
supported versions.
This has been assigned CVE-2014-8161, but since the issue and the patch
have already been publicized on pgsql-hackers, there's no point in trying
to hide this commit.
Diffstat (limited to 'src/backend/commands/copy.c')
| -rw-r--r-- | src/backend/commands/copy.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/backend/commands/copy.c b/src/backend/commands/copy.c index fbd7492a73f..9ab1e1989fb 100644 --- a/src/backend/commands/copy.c +++ b/src/backend/commands/copy.c @@ -160,6 +160,7 @@ typedef struct CopyStateData int *defmap; /* array of default att numbers */ ExprState **defexprs; /* array of default att expressions */ bool volatile_defexprs; /* is any of defexprs volatile? */ + List *range_table; /* * These variables are used to reduce overhead in textual COPY FROM. @@ -784,6 +785,7 @@ DoCopy(const CopyStmt *stmt, const char *queryString, uint64 *processed) bool pipe = (stmt->filename == NULL); Relation rel; Oid relid; + RangeTblEntry *rte; /* Disallow COPY to/from file or program except to superusers. */ if (!pipe && !superuser()) @@ -806,7 +808,6 @@ DoCopy(const CopyStmt *stmt, const char *queryString, uint64 *processed) { TupleDesc tupDesc; AclMode required_access = (is_from ? ACL_INSERT : ACL_SELECT); - RangeTblEntry *rte; List *attnums; ListCell *cur; @@ -856,6 +857,7 @@ DoCopy(const CopyStmt *stmt, const char *queryString, uint64 *processed) cstate = BeginCopyFrom(rel, stmt->filename, stmt->is_program, stmt->attlist, stmt->options); + cstate->range_table = list_make1(rte); *processed = CopyFrom(cstate); /* copy from file to database */ EndCopyFrom(cstate); } @@ -864,6 +866,7 @@ DoCopy(const CopyStmt *stmt, const char *queryString, uint64 *processed) cstate = BeginCopyTo(rel, stmt->query, queryString, stmt->filename, stmt->is_program, stmt->attlist, stmt->options); + cstate->range_table = list_make1(rte); *processed = DoCopyTo(cstate); /* copy from database to file */ EndCopyTo(cstate); } @@ -2184,6 +2187,7 @@ CopyFrom(CopyState cstate) estate->es_result_relations = resultRelInfo; estate->es_num_result_relations = 1; estate->es_result_relation_info = resultRelInfo; + estate->es_range_table = cstate->range_table; /* Set up a tuple slot too */ myslot = ExecInitExtraTupleSlot(estate); |