stringToNode() and deparse_expression_pretty() crash on invalid input,

but we have nevertheless exposed them to users via pg_get_expr(). It would
be too much maintenance effort to rigorously check the input, so put a hack
in place instead to restrict pg_get_expr() so that the argument must come
from one of the system catalog columns known to contain valid expressions.

Per report from Rushabh Lathia. Backpatch to 7.4 which is the oldest
supported version at the moment.

src/backend/tcop/fastpath.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/tcop/fastpath.c,v 1.94 2006/10/19 22:44:11 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/tcop/fastpath.c,v 1.94.2.1 2010/06/30 18:11:04 heikki Exp $
  *
  * NOTES
  *	  This cruft is the server side of PQfn.
@@ -29,6 +29,7 @@
 #include "tcop/fastpath.h"
 #include "tcop/tcopprot.h"
 #include "utils/acl.h"
+#include "utils/fmgroids.h"
 #include "utils/lsyscache.h"
 #include "utils/syscache.h"
 
@@ -348,6 +349,16 @@ HandleFunctionRequest(StringInfo msgBuf)
 		aclcheck_error(aclresult, ACL_KIND_PROC,
 					   get_func_name(fid));
 
+	/*
+	 * Restrict access to pg_get_expr(). This reflects the hack in
+	 * transformFuncCall() in parse_expr.c, see comments there for an
+	 * explanation.
+	 */
+	if ((fid == F_PG_GET_EXPR || fid == F_PG_GET_EXPR_EXT) && !superuser())
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("argument to pg_get_expr() must come from system catalogs")));
+
 	/*
 	 * Prepare function call info block and insert arguments.
 	 */