Ignore SECURITY DEFINER and SET attributes for a PL's call handler.
It's not very sensible to set such attributes on a handler function;
but if one were to do so, fmgr.c went into infinite recursion because
it would call fmgr_security_definer instead of the handler function proper.
There is no way for fmgr_security_definer to know that it ought to call the
handler and not the original function referenced by the FmgrInfo's fn_oid,
so it tries to do the latter, causing the whole process to start over
Ordinarily such misconfiguration of a procedural language's handler could
be written off as superuser error. However, because we allow non-superuser
database owners to create procedural languages and the handler for such a
language becomes owned by the database owner, it is possible for a database
owner to crash the backend, which ideally shouldn't be possible without
superuser privileges. In 9.2 and up we will adjust things so that the
handler functions are always owned by superusers, but in existing branches
this is a minor security fix.
Problem noted by Noah Misch (after several of us had failed to detect
it :-(). This is CVE-2012-2655.
src/backend/utils/fmgr/fmgr.c | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
pgsql-committers by date
|Next:||From: Tom Lane||Date: 2012-05-31 03:48:10|
|Subject: pgsql: Force PL and range-type support functions to be owned by asuper|
|Previous:||From: Tom Lane||Date: 2012-05-30 23:59:30|
|Subject: pgsql: Expand the allowed range of timezone offsets to +/-15:59:59from|