Require update permission for the large object written by lo_put().

lo_put() surely should require UPDATE permission, the same as lowrite(),
but it failed to check for that, as reported by Chapman Flack.  Oversight
in commit c50b7c09d; backpatch to 9.4 where that was introduced.

Tom Lane and Michael Paquier

Security: CVE-2017-7548

diff --git a/src/backend/libpq/be-fsstubs.c b/src/backend/libpq/be-fsstubs.c
index 52bac4337d3ce71b17f65ac32e1de8f0f165ce6b..bcc90b9be2affd38db3ad9943488dd92836302a4 100644 (file)
--- a/src/backend/libpq/be-fsstubs.c
+++ b/src/backend/libpq/be-fsstubs.c
@@ -898,6 +898,18 @@ lo_put(PG_FUNCTION_ARGS)
    CreateFSContext();
 
    loDesc = inv_open(loOid, INV_WRITE, fscxt);
+
+   /* Permission check */
+   if (!lo_compat_privileges &&
+       pg_largeobject_aclcheck_snapshot(loDesc->id,
+                                        GetUserId(),
+                                        ACL_UPDATE,
+                                        loDesc->snapshot) != ACLCHECK_OK)
+       ereport(ERROR,
+               (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+                errmsg("permission denied for large object %u",
+                       loDesc->id)));
+
    inv_seek(loDesc, offset, SEEK_SET);
    written = inv_write(loDesc, VARDATA_ANY(str), VARSIZE_ANY_EXHDR(str));
    Assert(written == VARSIZE_ANY_EXHDR(str));

diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 1e630684f6dcca4432eb825228f1a0b8ea2f1fa2..3234c02438cbc0e8b6c0706fc8a3e401cce1005b 100644 (file)
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -1189,6 +1189,14 @@ SELECT lo_create(2002);
       2002
 (1 row)
 
+SELECT loread(lo_open(1001, x'20000'::int), 32);   -- allowed, for now
+ loread 
+--------
+ \x
+(1 row)
+
+SELECT lowrite(lo_open(1001, x'40000'::int), 'abcd');  -- fail, wrong mode
+ERROR:  large object descriptor 0 was not opened for writing
 SELECT loread(lo_open(1001, x'40000'::int), 32);
  loread 
 --------
@@ -1284,6 +1292,8 @@ SELECT lowrite(lo_open(1002, x'20000'::int), 'abcd'); -- to be denied
 ERROR:  permission denied for large object 1002
 SELECT lo_truncate(lo_open(1002, x'20000'::int), 10);  -- to be denied
 ERROR:  permission denied for large object 1002
+SELECT lo_put(1002, 1, 'abcd');                -- to be denied
+ERROR:  permission denied for large object 1002
 SELECT lo_unlink(1002);                    -- to be denied
 ERROR:  must be owner of large object 1002
 SELECT lo_export(1001, '/dev/null');           -- to be denied

diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index 099b095790d132b1f8f9843ab79112384532373a..8695607747b1e9d107e2d63b05082c00405efded 100644 (file)
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -753,6 +753,9 @@ SET SESSION AUTHORIZATION regressuser2;
 SELECT lo_create(2001);
 SELECT lo_create(2002);
 
+SELECT loread(lo_open(1001, x'20000'::int), 32);   -- allowed, for now
+SELECT lowrite(lo_open(1001, x'40000'::int), 'abcd');  -- fail, wrong mode
+
 SELECT loread(lo_open(1001, x'40000'::int), 32);
 SELECT loread(lo_open(1002, x'40000'::int), 32);   -- to be denied
 SELECT loread(lo_open(1003, x'40000'::int), 32);
@@ -792,6 +795,7 @@ SET SESSION AUTHORIZATION regressuser4;
 SELECT loread(lo_open(1002, x'40000'::int), 32);   -- to be denied
 SELECT lowrite(lo_open(1002, x'20000'::int), 'abcd');  -- to be denied
 SELECT lo_truncate(lo_open(1002, x'20000'::int), 10);  -- to be denied
+SELECT lo_put(1002, 1, 'abcd');                -- to be denied
 SELECT lo_unlink(1002);                    -- to be denied
 SELECT lo_export(1001, '/dev/null');           -- to be denied