database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-09 06:21:09 +03:00
Code Activity

Fix permission-checking bug reported by Tim Burgess 10-Feb-03 (this time

Browse Source 
for sure...).  Rather than relying on the query context of a rangetable
entry to identify what permissions it wants checked, store a full AclMode
mask in each RTE, and check exactly those bits.  This allows an RTE
specifying, say, INSERT privilege on a view to be copied into a derived
UPDATE query without changing meaning.  Per recent discussion thread.
initdb forced due to change of stored rule representation.
This commit is contained in:
Tom Lane
2004-01-14 23:01:55 +00:00
parent 01d320d421
commit cfd7fb7ed4
18 changed files with 186 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/backend/parser/analyze.c
View File

@@ -6,7 +6,7 @@
* Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* $PostgreSQL: pgsql/src/backend/parser/analyze.c,v 1.295 2004/01/11 04:58:17 neilc Exp $
* $PostgreSQL: pgsql/src/backend/parser/analyze.c,v 1.296 2004/01/14 23:01:55 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@@ -472,7 +472,8 @@ transformDeleteStmt(ParseState *pstate, DeleteStmt *stmt)
/* set up range table with just the result rel */
qry->resultRelation = setTargetTable(pstate, stmt->relation,
interpretInhOption(stmt->relation->inhOpt),
true);
true,
ACL_DELETE);
qry->distinctClause = NIL;
@@ -539,7 +540,7 @@ transformInsertStmt(ParseState *pstate, InsertStmt *stmt,
* table is not added to the joinlist or namespace.
*/
qry->resultRelation = setTargetTable(pstate, stmt->relation,
false, false);
false, false, ACL_INSERT);
/*
* Is it INSERT ... SELECT or INSERT ... VALUES?
@@ -1721,8 +1722,8 @@ transformRuleStmt(ParseState *pstate, RuleStmt *stmt,
makeAlias("*NEW*", NIL),
false, true);
/* Must override addRangeTableEntry's default access-check flags */
oldrte->checkForRead = false;
newrte->checkForRead = false;
oldrte->requiredPerms = 0;
newrte->requiredPerms = 0;
/*
* They must be in the namespace too for lookup purposes, but only add
@@ -1820,8 +1821,8 @@ transformRuleStmt(ParseState *pstate, RuleStmt *stmt,
newrte = addRangeTableEntry(sub_pstate, stmt->relation,
makeAlias("*NEW*", NIL),
false, false);
oldrte->checkForRead = false;
newrte->checkForRead = false;
oldrte->requiredPerms = 0;
newrte->requiredPerms = 0;
addRTEtoQuery(sub_pstate, oldrte, false, true);
addRTEtoQuery(sub_pstate, newrte, false, true);
@@ -2493,7 +2494,8 @@ transformUpdateStmt(ParseState *pstate, UpdateStmt *stmt)
qry->resultRelation = setTargetTable(pstate, stmt->relation,
interpretInhOption(stmt->relation->inhOpt),
true);
true,
ACL_UPDATE);
/*
* the FROM clause is non-standard SQL syntax. We used to be able to
@@ -2880,7 +2882,7 @@ transformForUpdate(Query *qry, List *forUpdate)
case RTE_RELATION:
if (!intMember(i, rowMarks)) /* avoid duplicates */
rowMarks = lappendi(rowMarks, i);
rte->checkForWrite = true;
rte->requiredPerms |= ACL_SELECT_FOR_UPDATE;
break;
case RTE_SUBQUERY:
/*
@@ -2915,7 +2917,7 @@ transformForUpdate(Query *qry, List *forUpdate)
case RTE_RELATION:
if (!intMember(i, rowMarks)) /* avoid duplicates */
rowMarks = lappendi(rowMarks, i);
rte->checkForWrite = true;
rte->requiredPerms |= ACL_SELECT_FOR_UPDATE;
break;
case RTE_SUBQUERY:
/*

20
src/backend/parser/parse_clause.c
View File

@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/parser/parse_clause.c,v 1.125 2003/11/29 19:51:51 pgsql Exp $
* $PostgreSQL: pgsql/src/backend/parser/parse_clause.c,v 1.126 2004/01/14 23:01:55 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@@ -116,11 +116,14 @@ transformFromClause(ParseState *pstate, List *frmList)
* to check for namespace conflict; we assume that the namespace was
* initially empty in these cases.)
*
* Finally, we mark the relation as requiring the permissions specified
* by requiredPerms.
*
* Returns the rangetable index of the target relation.
*/
int
setTargetTable(ParseState *pstate, RangeVar *relation,
bool inh, bool alsoSource)
bool inh, bool alsoSource, AclMode requiredPerms)
{
RangeTblEntry *rte;
int rtindex;
@@ -149,16 +152,15 @@ setTargetTable(ParseState *pstate, RangeVar *relation,
Assert(rte == rt_fetch(rtindex, pstate->p_rtable));
/*
* Override addRangeTableEntry's default checkForRead, and instead
* mark target table as requiring write access.
* Override addRangeTableEntry's default ACL_SELECT permissions check,
* and instead mark target table as requiring exactly the specified
* permissions.
*
* If we find an explicit reference to the rel later during parse
* analysis, scanRTEForColumn will change checkForRead to 'true'
* again. That can't happen for INSERT but it is possible for UPDATE
* and DELETE.
* analysis, scanRTEForColumn will add the ACL_SELECT bit back again.
* That can't happen for INSERT but it is possible for UPDATE and DELETE.
*/
rte->checkForRead = false;
rte->checkForWrite = true;
rte->requiredPerms = requiredPerms;
/*
* If UPDATE/DELETE, add table to joinlist and namespace.

48
src/backend/parser/parse_relation.c
View File

@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/parser/parse_relation.c,v 1.91 2003/11/29 19:51:52 pgsql Exp $
* $PostgreSQL: pgsql/src/backend/parser/parse_relation.c,v 1.92 2004/01/14 23:01:55 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@@ -437,7 +437,7 @@ RTERangeTablePosn(ParseState *pstate, RangeTblEntry *rte, int *sublevels_up)
* nothing. It might seem that we need to propagate the mark to all the
* contained RTEs, but that is not necessary. This is so because a join
* expression can only appear in a FROM clause, and any table named in
* FROM will be marked checkForRead from the beginning.
* FROM will be marked as requiring read access from the beginning.
*/
static Node *
scanRTEForColumn(ParseState *pstate, RangeTblEntry *rte, char *colname)
@@ -477,7 +477,8 @@ scanRTEForColumn(ParseState *pstate, RangeTblEntry *rte, char *colname)
errmsg("column reference \"%s\" is ambiguous",
colname)));
result = (Node *) make_var(pstate, rte, attnum);
rte->checkForRead = true;
/* Require read access */
rte->requiredPerms |= ACL_SELECT;
}
}
@@ -504,7 +505,8 @@ scanRTEForColumn(ParseState *pstate, RangeTblEntry *rte, char *colname)
0, 0))
{
result = (Node *) make_var(pstate, rte, attnum);
rte->checkForRead = true;
/* Require read access */
rte->requiredPerms |= ACL_SELECT;
}
}
}
@@ -689,7 +691,7 @@ addRangeTableEntry(ParseState *pstate,
* Flags:
* - this RTE should be expanded to include descendant tables,
* - this RTE is in the FROM clause,
* - this RTE should be checked for read/write access rights.
* - this RTE should be checked for appropriate access rights.
*
* The initial default on access checks is always check-for-READ-access,
* which is the right thing for all except target tables.
@@ -697,10 +699,9 @@ addRangeTableEntry(ParseState *pstate,
*/
rte->inh = inh;
rte->inFromCl = inFromCl;
rte->checkForRead = true;
rte->checkForWrite = false;
rte->checkAsUser = InvalidOid; /* not set-uid by default, either */
rte->requiredPerms = ACL_SELECT;
rte->checkAsUser = 0; /* not set-uid by default, either */
/*
* Add completed RTE to pstate's range table list, but not to join
@@ -784,7 +785,7 @@ addRangeTableEntryForRelation(ParseState *pstate,
* Flags:
* - this RTE should be expanded to include descendant tables,
* - this RTE is in the FROM clause,
* - this RTE should be checked for read/write access rights.
* - this RTE should be checked for appropriate access rights.
*
* The initial default on access checks is always check-for-READ-access,
* which is the right thing for all except target tables.
@@ -792,10 +793,9 @@ addRangeTableEntryForRelation(ParseState *pstate,
*/
rte->inh = inh;
rte->inFromCl = inFromCl;
rte->checkForRead = true;
rte->checkForWrite = false;
rte->checkAsUser = InvalidOid; /* not set-uid by default, either */
rte->requiredPerms = ACL_SELECT;
rte->checkAsUser = 0; /* not set-uid by default, either */
/*
* Add completed RTE to pstate's range table list, but not to join
@@ -864,17 +864,16 @@ addRangeTableEntryForSubquery(ParseState *pstate,
* Flags:
* - this RTE should be expanded to include descendant tables,
* - this RTE is in the FROM clause,
* - this RTE should be checked for read/write access rights.
* - this RTE should be checked for appropriate access rights.
*
* Subqueries are never checked for access rights.
*----------
*/
rte->inh = false; /* never true for subqueries */
rte->inFromCl = inFromCl;
rte->checkForRead = false;
rte->checkForWrite = false;
rte->checkAsUser = InvalidOid;
rte->requiredPerms = 0;
rte->checkAsUser = 0;
/*
* Add completed RTE to pstate's range table list, but not to join
@@ -1034,15 +1033,17 @@ addRangeTableEntryForFunction(ParseState *pstate,
* Flags:
* - this RTE should be expanded to include descendant tables,
* - this RTE is in the FROM clause,
* - this RTE should be checked for read/write access rights.
* - this RTE should be checked for appropriate access rights.
*
* Functions are never checked for access rights (at least, not by
* the RTE permissions mechanism).
*----------
*/
rte->inh = false; /* never true for functions */
rte->inFromCl = inFromCl;
rte->checkForRead = true;
rte->checkForWrite = false;
rte->checkAsUser = InvalidOid;
rte->requiredPerms = 0;
rte->checkAsUser = 0;
/*
* Add completed RTE to pstate's range table list, but not to join
@@ -1095,17 +1096,16 @@ addRangeTableEntryForJoin(ParseState *pstate,
* Flags:
* - this RTE should be expanded to include descendant tables,
* - this RTE is in the FROM clause,
* - this RTE should be checked for read/write access rights.
* - this RTE should be checked for appropriate access rights.
*
* Joins are never checked for access rights.
*----------
*/
rte->inh = false; /* never true for joins */
rte->inFromCl = inFromCl;
rte->checkForRead = false;
rte->checkForWrite = false;
rte->checkAsUser = InvalidOid;
rte->requiredPerms = 0;
rte->checkAsUser = 0;
/*
* Add completed RTE to pstate's range table list, but not to join