database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

Only superuser can set sslcert/sslkey in postgres_fdw user mappings

Browse Source 
Othrwise there is a security risk.

Discussion: https://postgr.es/m/20200109103014.GA4192@msg.df7cb.de
This commit is contained in:
Andrew Dunstan
2020-01-13 18:08:09 +10:30
parent 4e514c6180
commit cebf9d6e6e
4 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
contrib/postgres_fdw/option.c
View File

@ -159,6 +159,16 @@ postgres_fdw_validator(PG_FUNCTION_ARGS)
errmsg("password_required=false is superuser-only"),
errhint("User mappings with the password_required option set to false may only be created or modified by the superuser")));
}
else if (strcmp(def->defname, "sslcert") == 0 ||
strcmp(def->defname, "sslkey") == 0)
{
/* similarly for sslcert / sslkey on user mapping */
if (catalog == UserMappingRelationId && !superuser())
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("sslcert and sslkey are superuser-only"),
errhint("User mappings with the sslcert or sslkey options set may only be created or modified by the superuser")));
}
}
PG_RETURN_VOID();