Prohibit transaction commands in security definer procedures

Starting and aborting transactions in security definer procedures doesn't work. StartTransaction() insists that the security context stack is empty, so this would currently cause a crash, and AbortTransaction() resets it. This could be made to work by reorganizing the code, but right now we just prohibit it. Reported-by: amul sul <sulamul@gmail.com> Discussion: https://www.postgresql.org/message-id/flat/CAAJ_b96Gupt_LFL7uNyy3c50-wbhA68NUjiK5%3DrF6_w%3Dpq_T%3DQ%40mail.gmail.com
2025-06-26 12:21:12 +03:00 · 2018-07-04 09:26:19 +02:00
parent 39035a5289
commit 3804e89bd0
4 changed files with 40 additions and 0 deletions
--- a/doc/src/sgml/ref/create_procedure.sgml
+++ b/doc/src/sgml/ref/create_procedure.sgml
@ -203,6 +203,12 @@ CREATE [ OR REPLACE ] PROCEDURE
      conformance, but it is optional since, unlike in SQL, this feature
      applies to all procedures not only external ones.
     </para>
+
+     <para>
+      A <literal>SECURITY DEFINER</literal> procedure cannot execute
+      transaction control statements (for example, <command>COMMIT</command>
+      and <command>ROLLBACK</command>, depending on the language).
+     </para>
    </listitem>
   </varlistentry>