From 537cbd35c893e67a63c59bc636c3e888bd228bc7 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 17 Feb 2014 09:33:31 -0500 Subject: Prevent privilege escalation in explicit calls to PL validators. The primary role of PL validators is to be called implicitly during CREATE FUNCTION, but they are also normal functions that a user can call explicitly. Add a permissions check to each validator to ensure that a user cannot use explicit validator calls to achieve things he could not otherwise achieve. Back-patch to 8.4 (all supported versions). Non-core procedural language extensions ought to make the same two-line change to their own validators. Andres Freund, reviewed by Tom Lane and Noah Misch. Security: CVE-2014-0061 --- doc/src/sgml/plhandler.sgml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'doc/src') diff --git a/doc/src/sgml/plhandler.sgml b/doc/src/sgml/plhandler.sgml index 024ef9d3b85..aa4bba3bee1 100644 --- a/doc/src/sgml/plhandler.sgml +++ b/doc/src/sgml/plhandler.sgml @@ -178,7 +178,10 @@ CREATE LANGUAGE plsample or updated a function written in the procedural language. The passed-in OID is the OID of the function's pg_proc row. The validator must fetch this row in the usual way, and do - whatever checking is appropriate. Typical checks include verifying + whatever checking is appropriate. + First, call CheckFunctionValidatorAccess() to diagnose + explicit calls to the validator that the user could not achieve through + CREATE FUNCTION. Typical checks then include verifying that the function's argument and result types are supported by the language, and that the function's body is syntactically correct in the language. If the validator finds the function to be okay, -- cgit v1.2.3