Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: pgsql-hackers@postgreSQL.org
Date: 2012-06-11T17:19:20Z
Lists: pgsql-hackers
Attachments
- alter-strictness-security-v1.patch (text/plain) patch v1
On Wed, May 30, 2012 at 07:34:16PM -0400, Noah Misch wrote: > ALTER FUNCTION OWNER TO on a C-language function conveys more trust than > meets the eye: > > BEGIN; > CREATE ROLE alice; > CREATE FUNCTION mylen(text) RETURNS integer LANGUAGE internal IMMUTABLE STRICT AS 'textlen'; > ALTER FUNCTION mylen(text) OWNER TO alice; > COMMIT; > > SET SESSION AUTHORIZATION alice; > ALTER FUNCTION mylen(text) CALLED ON NULL INPUT; > SELECT mylen(NULL); -- SIGSEGV > > CREATE FUNCTION + ALTER FUNCTION OWNER TO is useful for creating another > user's untrusted-language SECURITY DEFINER function. ALTER FUNCTION CALLED ON > NULL INPUT ought to require that the user be eligible to redefine the function > completely. Here's a patch implementing that restriction. To clarify, I see no need to repeat *all* the CREATE-time checks; for example, there's no need to recheck permission to use the return type. The language usage check is enough. I didn't feel the need to memorialize a test like the above in an actual regression test, but that's the one I used to verify the change. Considering the crash potential, I'd recommend backpatching this. Thanks, nm