mirror of
https://github.com/postgres/postgres.git
synced 2026-05-26 11:15:54 -04:00
Check CREATE privilege on multirange type schema in CREATE TYPE.
This omission allowed roles to create multirange types in any schema, potentially leading to privilege escalations. Note that when a multirange type name is not specified in CREATE TYPE, it is automatically placed in the range type's schema, which is checked at the beginning of DefineRange(). Reported-by: Jelte Fennema-Nio <postgres@jeltef.nl> Author: Jelte Fennema-Nio <postgres@jeltef.nl> Reviewed-by: Nathan Bossart <nathandbossart@gmail.com> Reviewed-by: Tomas Vondra <tomas@vondra.me> Security: CVE-2026-6472 Backpatch-through: 14
This commit is contained in:
Nathan Bossart
Noah Misch
parent
d389415ffa
commit
4793fc41f8
3 changed files with 39 additions and 0 deletions
|
|
@ -1494,6 +1494,13 @@ DefineRange(ParseState *pstate, CreateRangeStmt *stmt)
|
|||
/* we can look up the subtype name immediately */
|
||||
multirangeNamespace = QualifiedNameGetCreationNamespace(defGetQualifiedName(defel),
|
||||
&multirangeTypeName);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = object_aclcheck(NamespaceRelationId, multirangeNamespace,
|
||||
GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(multirangeNamespace));
|
||||
}
|
||||
else
|
||||
ereport(ERROR,
|
||||
|
|
|
|||
|
|
@ -3262,6 +3262,22 @@ drop type textrange1;
|
|||
reset role;
|
||||
drop role regress_multirange_owner;
|
||||
--
|
||||
-- CREATE TYPE checks for CREATE on multirange schema
|
||||
--
|
||||
create role regress_mr;
|
||||
create schema mr_sch;
|
||||
set role regress_mr;
|
||||
create type mytype as range (subtype=int4, multirange_type_name=mr_sch.mr_type);
|
||||
ERROR: permission denied for schema mr_sch
|
||||
reset role;
|
||||
grant create on schema mr_sch to regress_mr;
|
||||
set role regress_mr;
|
||||
create type mytype as range (subtype=int4, multirange_type_name=mr_sch.mr_type);
|
||||
reset role;
|
||||
drop type mytype;
|
||||
drop schema mr_sch;
|
||||
drop role regress_mr;
|
||||
--
|
||||
-- Test polymorphic type system
|
||||
--
|
||||
create function anyarray_anymultirange_func(a anyarray, r anymultirange)
|
||||
|
|
|
|||
|
|
@ -743,6 +743,22 @@ drop type textrange1;
|
|||
reset role;
|
||||
drop role regress_multirange_owner;
|
||||
|
||||
--
|
||||
-- CREATE TYPE checks for CREATE on multirange schema
|
||||
--
|
||||
create role regress_mr;
|
||||
create schema mr_sch;
|
||||
set role regress_mr;
|
||||
create type mytype as range (subtype=int4, multirange_type_name=mr_sch.mr_type);
|
||||
reset role;
|
||||
grant create on schema mr_sch to regress_mr;
|
||||
set role regress_mr;
|
||||
create type mytype as range (subtype=int4, multirange_type_name=mr_sch.mr_type);
|
||||
reset role;
|
||||
drop type mytype;
|
||||
drop schema mr_sch;
|
||||
drop role regress_mr;
|
||||
|
||||
--
|
||||
-- Test polymorphic type system
|
||||
--
|
||||
|
|
|
|||
Loading…
Reference in a new issue