From 04158e7fa37c2dda9c3421ca922d02807b86df19 Mon Sep 17 00:00:00 2001
From: Alexander Korotkov
Date: Thu, 22 Aug 2024 09:50:48 +0300
Subject: Avoid repeated table name lookups in createPartitionTable()

Currently, createPartitionTable() opens newly created table using its name.
This approach is prone to privilege escalation attack, because we might end
up opening another table than we just created.

This commit address the issue above by opening newly created table by its
OID.  It appears to be tricky to get a relation OID out of ProcessUtility().
We have to extend TableLikeClause with new newRelationOid field, which is
filled within ProcessUtility() to be further accessed by caller.

Security: CVE-2014-0062
Reported-by: Noah Misch
Discussion: https://postgr.es/m/20240808171351.a9.nmisch%40google.com
Reviewed-by: Pavel Borisov, Dmitry Koval
---
 src/backend/parser/gram.y | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/backend/parser')

diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index c3f25582c38..b7d98eb9f02 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -4138,6 +4138,7 @@ TableLikeClause:
 					n->relation = $2;
 					n->options = $3;
 					n->relationOid = InvalidOid;
+					n->newRelationOid = InvalidOid;
 					$$ = (Node *) n;
 				}
 		;
-- 
cgit v1.2.3