diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2022-08-08 11:12:31 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2022-08-08 11:12:31 -0400 |
| commit | b9b21acc766db54d8c337d508d0fe2f5bf2daab0 (patch) | |
| tree | f1e302dbebbfb0ec7cc53f9bbfbd3ef91463c481 /src/backend/commands/view.c | |
| parent | 7e29a79a46d30dc236d097825ab849158929d977 (diff) | |
| download | postgresql-b9b21acc766db54d8c337d508d0fe2f5bf2daab0.tar.gz postgresql-b9b21acc766db54d8c337d508d0fe2f5bf2daab0.zip | |
In extensions, don't replace objects not belonging to the extension.
Previously, if an extension script did CREATE OR REPLACE and there was
an existing object not belonging to the extension, it would overwrite
the object and adopt it into the extension. This is problematic, first
because the overwrite is probably unintentional, and second because we
didn't change the object's ownership. Thus a hostile user could create
an object in advance of an expected CREATE EXTENSION command, and would
then have ownership rights on an extension object, which could be
modified for trojan-horse-type attacks.
Hence, forbid CREATE OR REPLACE of an existing object unless it already
belongs to the extension. (Note that we've always forbidden replacing
an object that belongs to some other extension; only the behavior for
previously-free-standing objects changes here.)
For the same reason, also fail CREATE IF NOT EXISTS when there is
an existing object that doesn't belong to the extension.
Our thanks to Sven Klemm for reporting this problem.
Security: CVE-2022-2625
Diffstat (limited to 'src/backend/commands/view.c')
| -rw-r--r-- | src/backend/commands/view.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c index 8690a3f3c64..b5a0fc02e5c 100644 --- a/src/backend/commands/view.c +++ b/src/backend/commands/view.c @@ -190,7 +190,7 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace, CommandCounterIncrement(); /* - * Finally update the view options. + * Update the view's options. * * The new options list replaces the existing options list, even if * it's empty. @@ -203,8 +203,22 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace, /* EventTriggerAlterTableStart called by ProcessUtilitySlow */ AlterTableInternal(viewOid, atcmds, true); + /* + * There is very little to do here to update the view's dependencies. + * Most view-level dependency relationships, such as those on the + * owner, schema, and associated composite type, aren't changing. + * Because we don't allow changing type or collation of an existing + * view column, those dependencies of the existing columns don't + * change either, while the AT_AddColumnToView machinery took care of + * adding such dependencies for new view columns. The dependencies of + * the view's query could have changed arbitrarily, but that was dealt + * with inside StoreViewQuery. What remains is only to check that + * view replacement is allowed when we're creating an extension. + */ ObjectAddressSet(address, RelationRelationId, viewOid); + recordDependencyOnCurrentExtension(&address, true); + /* * Seems okay, so return the OID of the pre-existing view. */ |