pgsql: Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside

Поиск
Список
Период
Сортировка
От tgl@postgresql.org (Tom Lane)
Тема pgsql: Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside
Дата
Msg-id 20090903220854.ACD91753FB7@cvs.postgresql.org
обсуждение исходный текст
Список pgsql-committers
Дерево обсуждения 
Log Message:
-----------
Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer
functions.

This extends the previous patch that forbade SETting these variables inside
security-definer functions.  RESET is equally a security hole, since it
would allow regaining privileges of the caller; furthermore it can trigger
Assert failures and perhaps other internal errors, since the code is not
expecting these variables to change in such contexts.  The previous patch
did not cover this case because assign hooks don't really have enough
information, so move the responsibility for preventing this into guc.c.

Problem discovered by Heikki Linnakangas.

Security: no CVE assigned yet, extends CVE-2007-6600

Tags:
----
REL8_0_STABLE

Modified Files:
--------------
    pgsql/src/backend/commands:
        variable.c (r1.105.4.4 -> r1.105.4.5)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/variable.c?r1=1.105.4.4&r2=1.105.4.5)
    pgsql/src/backend/utils/misc:
        guc.c (r1.252.4.5 -> r1.252.4.6)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/misc/guc.c?r1=1.252.4.5&r2=1.252.4.6)
    pgsql/src/include/utils:
        guc_tables.h (r1.19.4.1 -> r1.19.4.2)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/include/utils/guc_tables.h?r1=1.19.4.1&r2=1.19.4.2)

В списке pgsql-committers по дате отправления:

Предыдущее
От: tgl@postgresql.org (Tom Lane)
Дата:
Сообщение: pgsql: Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside
Следующее
От: tgl@postgresql.org (Tom Lane)
Дата:
Сообщение: pgsql: Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside