Fix priv checks for ALTER <object> DEPENDS ON EXTENSION

Marking an object as dependant on an extension did not have any privilege check whatsoever; this allowed any user to mark objects as droppable by anyone able to DROP EXTENSION, which could be used to cause system-wide havoc. Disallow by checking that the calling user owns the mentioned object. (No constraints are placed on the extension.) Security: CVE-2020-1720 Reported-by: Tom Lane Discussion: 31605.1566429043@sss.pgh.pa.us
2025-05-06 19:59:18 +03:00 · 2020-02-10 11:47:09 -03:00 · 2020-02-10 11:47:09 -03:00 · e8b8eb9376
commit e8b8eb9376
parent 384ecd6efe
1 changed files with 13 additions and 0 deletions
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@ -408,6 +408,19 @@ ExecAlterObjectDependsStmt(AlterObjectDependsStmt *stmt, ObjectAddress *refAddre
 		get_object_address_rv(stmt->objectType, stmt->relation, stmt->objname,
 							stmt->objargs, &rel, AccessExclusiveLock, false);

+	/*
+	 * Verify that the user is entitled to run the command.
+	 *
+	 * We don't check any privileges on the extension, because that's not
+	 * needed.  The object owner is stipulating, by running this command, that
+	 * the extension owner can drop the object whenever they feel like it,
+	 * which is not considered a problem.
+	 */
+	check_object_ownership(GetUserId(),
+						   stmt->objectType, address,
+						   stmt->objname, stmt->objargs,
+						   rel);
+
 	/*
 	 * If a relation was involved, it would have been opened and locked. We
 	 * don't need the relation here, but we'll retain the lock until commit.