Prevent privilege escalation in explicit calls to PL validators.

The primary role of PL validators is to be called implicitly during CREATE FUNCTION, but they are also normal functions that a user can call explicitly. Add a permissions check to each validator to ensure that a user cannot use explicit validator calls to achieve things he could not otherwise achieve. Back-patch to 8.4 (all supported versions). Non-core procedural language extensions ought to make the same two-line change to their own validators. Andres Freund, reviewed by Tom Lane and Noah Misch. Security: CVE-2014-0061
2025-07-02 09:02:37 +03:00 · 2014-02-17 09:33:31 -05:00
parent 15a8f97b9d
commit 1d701d28a7
8 changed files with 109 additions and 2 deletions
--- a/doc/src/sgml/plhandler.sgml
+++ b/doc/src/sgml/plhandler.sgml
@ -178,7 +178,10 @@ CREATE LANGUAGE plsample
    or updated a function written in the procedural language.
    The passed-in OID is the OID of the function's <classname>pg_proc</>
    row.  The validator must fetch this row in the usual way, and do
-    whatever checking is appropriate.  Typical checks include verifying
+    whatever checking is appropriate.
+    First, call <function>CheckFunctionValidatorAccess()</> to diagnose
+    explicit calls to the validator that the user could not achieve through
+    <command>CREATE FUNCTION</>.  Typical checks then include verifying
    that the function's argument and result types are supported by the
    language, and that the function's body is syntactically correct
    in the language.  If the validator finds the function to be okay,