Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 54e2b64

Browse files
committed
Require execute permission on the trigger function for CREATE TRIGGER.
This check was overlooked when we added function execute permissions to the system years ago. For an ordinary trigger function it's not a big deal, since trigger functions execute with the permissions of the table owner, so they couldn't do anything the user issuing the CREATE TRIGGER couldn't have done anyway. However, if a trigger function is SECURITY DEFINER, that is not the case. The lack of checking would allow another user to install it on his own table and then invoke it with, essentially, forged input data; which the trigger function is unlikely to realize, so it might do something undesirable, for instance insert false entries in an audit log table. Reported by Dinesh Kumar, patch by Robert Haas Security: CVE-2012-0866
1 parent 630fa6f commit 54e2b64

File tree

2 files changed

+11
-3
lines changed

2 files changed

+11
-3
lines changed

doc/src/sgml/ref/create_trigger.sgml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -362,7 +362,8 @@ UPDATE OF <replaceable>column_name1</replaceable> [, <replaceable>column_name2</
362362

363363
<para>
364364
To create a trigger on a table, the user must have the
365-
<literal>TRIGGER</literal> privilege on the table.
365+
<literal>TRIGGER</literal> privilege on the table. The user must
366+
also have <literal>EXECUTE</literal> privilege on the trigger function.
366367
</para>
367368

368369
<para>

src/backend/commands/trigger.c

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -106,8 +106,8 @@ static void AfterTriggerSaveEvent(EState *estate, ResultRelInfo *relinfo,
106106
* if TRUE causes us to modify the given trigger name to ensure uniqueness.
107107
*
108108
* When isInternal is not true we require ACL_TRIGGER permissions on the
109-
* relation. For internal triggers the caller must apply any required
110-
* permission checks.
109+
* relation, as well as ACL_EXECUTE on the trigger function. For internal
110+
* triggers the caller must apply any required permission checks.
111111
*
112112
* Note: can return InvalidOid if we decided to not create a trigger at all,
113113
* but a foreign-key constraint. This is a kluge for backwards compatibility.
@@ -366,6 +366,13 @@ CreateTrigger(CreateTrigStmt *stmt, const char *queryString,
366366
* Find and validate the trigger function.
367367
*/
368368
funcoid = LookupFuncName(stmt->funcname, 0, fargtypes, false);
369+
if (!isInternal)
370+
{
371+
aclresult = pg_proc_aclcheck(funcoid, GetUserId(), ACL_EXECUTE);
372+
if (aclresult != ACLCHECK_OK)
373+
aclcheck_error(aclresult, ACL_KIND_PROC,
374+
NameListToString(stmt->funcname));
375+
}
369376
funcrettype = get_func_rettype(funcoid);
370377
if (funcrettype != TRIGGEROID)
371378
{

0 commit comments

Comments
 (0)