Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer - postgresql.git - This is the main PostgreSQL git repository.

diff options

author	Tom Lane	2009-09-03 22:08:23 +0000
committer	Tom Lane	2009-09-03 22:08:23 +0000
commit	fe8170dcfa9dda7cb46735a17542955cae2acf79 (patch)
tree	3d0f5338a668e3b3b13dcb58ede879271b6c14df /contrib/xml2/xpath.c
parent	095f7ba339ea26d66bbd84f6aa92fbc3e9d28ff2 (diff)

Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer

functions. This extends the previous patch that forbade SETting these variables inside security-definer functions. RESET is equally a security hole, since it would allow regaining privileges of the caller; furthermore it can trigger Assert failures and perhaps other internal errors, since the code is not expecting these variables to change in such contexts. The previous patch did not cover this case because assign hooks don't really have enough information, so move the responsibility for preventing this into guc.c. Problem discovered by Heikki Linnakangas. Security: no CVE assigned yet, extends CVE-2007-6600

Diffstat (limited to 'contrib/xml2/xpath.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: