diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2021-02-08 10:14:09 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2021-02-08 10:14:09 -0500 |
| commit | c028faf2a62ce476c8d689a33b12471dc98b80f2 (patch) | |
| tree | 803914b64bb959f09bea8f945162772e543cf702 /src/backend/parser/parse_target.c | |
| parent | 6214e2b2280462cbc3aa1986e350e167651b3905 (diff) | |
| download | postgresql-c028faf2a62ce476c8d689a33b12471dc98b80f2.tar.gz postgresql-c028faf2a62ce476c8d689a33b12471dc98b80f2.zip | |
Fix mishandling of column-level SELECT privileges for join aliases.
scanNSItemForColumn, expandNSItemAttrs, and ExpandSingleTable would
pass the wrong RTE to markVarForSelectPriv when dealing with a join
ParseNamespaceItem: they'd pass the join RTE, when what we need to
mark is the base table that the join column came from. The end
result was to not fill the base table's selectedCols bitmap correctly,
resulting in an understatement of the set of columns that are read
by the query. The executor would still insist on there being at
least one selectable column; but with a correctly crafted query,
a user having SELECT privilege on just one column of a table would
nonetheless be allowed to read all its columns.
To fix, make markRTEForSelectPriv fetch the correct RTE for itself,
ignoring the possibly-mismatched RTE passed by the caller. Later,
we'll get rid of some now-unused RTE arguments, but that risks
API breaks so we won't do it in released branches.
This problem was introduced by commit 9ce77d75c, so back-patch
to v13 where that came in. Thanks to Sven Klemm for reporting
the problem.
Security: CVE-2021-20229
Diffstat (limited to 'src/backend/parser/parse_target.c')
| -rw-r--r-- | src/backend/parser/parse_target.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/backend/parser/parse_target.c b/src/backend/parser/parse_target.c index 51ecc16c42e..f582665aeae 100644 --- a/src/backend/parser/parse_target.c +++ b/src/backend/parser/parse_target.c @@ -1384,9 +1384,13 @@ ExpandSingleTable(ParseState *pstate, ParseNamespaceItem *nsitem, /* * Require read access to the table. This is normally redundant with * the markVarForSelectPriv calls below, but not if the table has zero - * columns. + * columns. We need not do anything if the nsitem is for a join: its + * component tables will have been marked ACL_SELECT when they were + * added to the rangetable. (This step changes things only for the + * target relation of UPDATE/DELETE, which cannot be under a join.) */ - rte->requiredPerms |= ACL_SELECT; + if (rte->rtekind == RTE_RELATION) + rte->requiredPerms |= ACL_SELECT; /* Require read access to each column */ foreach(l, vars) |