diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/commands/variable.c | 37 | ||||
| -rw-r--r-- | src/backend/utils/misc/guc.c | 32 | ||||
| -rw-r--r-- | src/include/utils/guc_tables.h | 4 |
3 files changed, 33 insertions, 40 deletions
diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c index 458b0a3a169..4ec57e11d33 100644 --- a/src/backend/commands/variable.c +++ b/src/backend/commands/variable.c @@ -9,7 +9,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.114.2.3 2008/01/03 21:24:26 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.114.2.4 2009/09/03 22:08:45 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -623,22 +623,6 @@ assign_session_authorization(const char *value, bool doit, GucSource source) /* not a saved ID, so look it up */ HeapTuple roleTup; - if (InSecurityDefinerContext()) - { - /* - * Disallow SET SESSION AUTHORIZATION inside a security definer - * context. We need to do this because when we exit the context, - * GUC won't be notified, leaving things out of sync. Note that - * this test is positioned so that restoring a previously saved - * setting isn't prevented. - */ - if (source >= PGC_S_INTERACTIVE) - ereport(ERROR, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("cannot set session authorization within security-definer function"))); - return NULL; - } - if (!IsTransactionState()) { /* @@ -746,25 +730,6 @@ assign_role(const char *value, bool doit, GucSource source) } } - if (roleid == InvalidOid && InSecurityDefinerContext()) - { - /* - * Disallow SET ROLE inside a security definer context. We need to do - * this because when we exit the context, GUC won't be notified, - * leaving things out of sync. Note that this test is arranged so - * that restoring a previously saved setting isn't prevented. - * - * XXX it would be nice to allow this case in future, with the - * behavior being that the SET ROLE's effects end when the security - * definer context is exited. - */ - if (source >= PGC_S_INTERACTIVE) - ereport(ERROR, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("cannot set role within security-definer function"))); - return NULL; - } - if (roleid == InvalidOid && strcmp(actual_rolename, "none") != 0) { diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 099e4faed1d..06dce7c4053 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -10,7 +10,7 @@ * Written by Peter Eisentraut <peter_e@gmx.net>. * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.299.2.4 2008/05/26 18:54:50 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.299.2.5 2009/09/03 22:08:45 tgl Exp $ * *-------------------------------------------------------------------- */ @@ -1936,7 +1936,7 @@ static struct config_string ConfigureNamesString[] = {"role", PGC_USERSET, UNGROUPED, gettext_noop("Sets the current role."), NULL, - GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE + GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_DEF }, &role_string, "none", assign_role, show_role @@ -1947,7 +1947,7 @@ static struct config_string ConfigureNamesString[] = {"session_authorization", PGC_USERSET, UNGROUPED, gettext_noop("Sets the session user name."), NULL, - GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE + GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_DEF }, &session_authorization_string, NULL, assign_session_authorization, show_session_authorization @@ -3666,6 +3666,32 @@ set_config_option(const char *name, const char *value, } /* + * Disallow changing GUC_NOT_WHILE_SEC_DEF values if we are inside a + * security-definer function. We can reject this regardless of + * the context or source, mainly because sources that it might be + * reasonable to override for won't be seen while inside a function. + * + * Note: variables marked GUC_NOT_WHILE_SEC_DEF should probably be marked + * GUC_NO_RESET_ALL as well, because ResetAllOptions() doesn't check this. + * + * Note: this flag is currently used for "session_authorization" and + * "role". We need to prohibit this because when we exit the sec-def + * context, GUC won't be notified, leaving things out of sync. + * + * XXX it would be nice to allow these cases in future, with the behavior + * being that the SET's effects end when the security definer context is + * exited. + */ + if ((record->flags & GUC_NOT_WHILE_SEC_DEF) && InSecurityDefinerContext()) + { + ereport(elevel, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("cannot set parameter \"%s\" within security-definer function", + name))); + return false; + } + + /* * Should we set reset/stacked values? (If so, the behavior is not * transactional.) */ diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h index 2ee7808bd04..05b1dc48cf2 100644 --- a/src/include/utils/guc_tables.h +++ b/src/include/utils/guc_tables.h @@ -7,7 +7,7 @@ * * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * - * $PostgreSQL: pgsql/src/include/utils/guc_tables.h,v 1.20.2.1 2006/02/12 22:32:57 tgl Exp $ + * $PostgreSQL: pgsql/src/include/utils/guc_tables.h,v 1.20.2.2 2009/09/03 22:08:45 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -128,6 +128,8 @@ struct config_generic #define GUC_SUPERUSER_ONLY 0x0100 /* show only to superusers */ #define GUC_IS_NAME 0x0200 /* limit string to NAMEDATALEN-1 */ +#define GUC_NOT_WHILE_SEC_DEF 0x8000 /* can't change inside sec-def func */ + /* bit values in status field */ #define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */ #define GUC_HAVE_LOCAL 0x0002 /* a SET LOCAL has been executed */ |