summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Lane2012-02-23 20:39:14 +0000
committerTom Lane2012-02-23 20:39:14 +0000
commit993b3e50845134e863968bcdaf148ff3e576c74a (patch)
treea6b683fe14edab65211e1dd5ec6d84eb457ff913
parent94e2495ded9771e439326d07f6f2d590438b005b (diff)
Require execute permission on the trigger function for CREATE TRIGGER.
This check was overlooked when we added function execute permissions to the system years ago. For an ordinary trigger function it's not a big deal, since trigger functions execute with the permissions of the table owner, so they couldn't do anything the user issuing the CREATE TRIGGER couldn't have done anyway. However, if a trigger function is SECURITY DEFINER, that is not the case. The lack of checking would allow another user to install it on his own table and then invoke it with, essentially, forged input data; which the trigger function is unlikely to realize, so it might do something undesirable, for instance insert false entries in an audit log table. Reported by Dinesh Kumar, patch by Robert Haas Security: CVE-2012-0866
-rw-r--r--doc/src/sgml/ref/create_trigger.sgml3
-rw-r--r--src/backend/commands/trigger.c4
2 files changed, 6 insertions, 1 deletions
diff --git a/doc/src/sgml/ref/create_trigger.sgml b/doc/src/sgml/ref/create_trigger.sgml
index 8d7574319f9..ecb1f56cbfe 100644
--- a/doc/src/sgml/ref/create_trigger.sgml
+++ b/doc/src/sgml/ref/create_trigger.sgml
@@ -183,7 +183,8 @@ CREATE TRIGGER <replaceable class="PARAMETER">name</replaceable> { BEFORE | AFTE
<para>
To create a trigger on a table, the user must have the
- <literal>TRIGGER</literal> privilege on the table.
+ <literal>TRIGGER</literal> privilege on the table. The user must
+ also have <literal>EXECUTE</literal> privilege on the trigger function.
</para>
<para>
diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c
index e3c771a933f..cadca5c01b0 100644
--- a/src/backend/commands/trigger.c
+++ b/src/backend/commands/trigger.c
@@ -161,6 +161,10 @@ CreateTrigger(CreateTrigStmt *stmt, Oid constraintOid, bool checkPermissions)
* Find and validate the trigger function.
*/
funcoid = LookupFuncName(stmt->funcname, 0, fargtypes, false);
+ aclresult = pg_proc_aclcheck(funcoid, GetUserId(), ACL_EXECUTE);
+ if (aclresult != ACLCHECK_OK)
+ aclcheck_error(aclresult, ACL_KIND_PROC,
+ NameListToString(stmt->funcname));
funcrettype = get_func_rettype(funcoid);
if (funcrettype != TRIGGEROID)
{