summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Eisentraut2018-07-04 07:26:19 +0000
committerPeter Eisentraut2018-07-13 08:41:32 +0000
commit3884072329bd1ad7d41bf7582c5d60e969365634 (patch)
treeda3724960a864d083aab60b66d060f35a9b9ced9
parent1f4ec8945967a75f711d721860752985624a0957 (diff)
Prohibit transaction commands in security definer procedures
Starting and aborting transactions in security definer procedures doesn't work. StartTransaction() insists that the security context stack is empty, so this would currently cause a crash, and AbortTransaction() resets it. This could be made to work by reorganizing the code, but right now we just prohibit it. Reported-by: amul sul <[email protected]> Discussion: https://www.postgresql.org/message-id/flat/CAAJ_b96Gupt_LFL7uNyy3c50-wbhA68NUjiK5%3DrF6_w%3Dpq_T%3DQ%40mail.gmail.com
-rw-r--r--doc/src/sgml/ref/create_procedure.sgml6
-rw-r--r--src/backend/commands/functioncmds.c9
-rw-r--r--src/pl/plpgsql/src/expected/plpgsql_transaction.out12
-rw-r--r--src/pl/plpgsql/src/sql/plpgsql_transaction.sql13
4 files changed, 40 insertions, 0 deletions
diff --git a/doc/src/sgml/ref/create_procedure.sgml b/doc/src/sgml/ref/create_procedure.sgml
index f3c3bb006c..6c1de34b01 100644
--- a/doc/src/sgml/ref/create_procedure.sgml
+++ b/doc/src/sgml/ref/create_procedure.sgml
@@ -203,6 +203,12 @@ CREATE [ OR REPLACE ] PROCEDURE
conformance, but it is optional since, unlike in SQL, this feature
applies to all procedures not only external ones.
</para>
+
+ <para>
+ A <literal>SECURITY DEFINER</literal> procedure cannot execute
+ transaction control statements (for example, <command>COMMIT</command>
+ and <command>ROLLBACK</command>, depending on the language).
+ </para>
</listitem>
</varlistentry>
diff --git a/src/backend/commands/functioncmds.c b/src/backend/commands/functioncmds.c
index 84daa19e06..68109bfda0 100644
--- a/src/backend/commands/functioncmds.c
+++ b/src/backend/commands/functioncmds.c
@@ -2246,6 +2246,15 @@ ExecuteCallStmt(CallStmt *stmt, ParamListInfo params, bool atomic, DestReceiver
callcontext->atomic = true;
/*
+ * In security definer procedures, we can't allow transaction commands.
+ * StartTransaction() insists that the security context stack is empty,
+ * and AbortTransaction() resets the security context. This could be
+ * reorganized, but right now it doesn't work.
+ */
+ if (((Form_pg_proc )GETSTRUCT(tp))->prosecdef)
+ callcontext->atomic = true;
+
+ /*
* Expand named arguments, defaults, etc.
*/
fexpr->args = expand_function_arguments(fexpr->args, fexpr->funcresulttype, tp);
diff --git a/src/pl/plpgsql/src/expected/plpgsql_transaction.out b/src/pl/plpgsql/src/expected/plpgsql_transaction.out
index 274b2c6f17..0b5a039b89 100644
--- a/src/pl/plpgsql/src/expected/plpgsql_transaction.out
+++ b/src/pl/plpgsql/src/expected/plpgsql_transaction.out
@@ -130,6 +130,18 @@ $$;
CALL transaction_test5();
ERROR: invalid transaction termination
CONTEXT: PL/pgSQL function transaction_test5() line 3 at COMMIT
+-- SECURITY DEFINER currently disallow transaction statements
+CREATE PROCEDURE transaction_test5b()
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+BEGIN
+ COMMIT;
+END;
+$$;
+CALL transaction_test5b();
+ERROR: invalid transaction termination
+CONTEXT: PL/pgSQL function transaction_test5b() line 3 at COMMIT
TRUNCATE test1;
-- nested procedure calls
CREATE PROCEDURE transaction_test6(c text)
diff --git a/src/pl/plpgsql/src/sql/plpgsql_transaction.sql b/src/pl/plpgsql/src/sql/plpgsql_transaction.sql
index 1624aed6ec..236db9bf2b 100644
--- a/src/pl/plpgsql/src/sql/plpgsql_transaction.sql
+++ b/src/pl/plpgsql/src/sql/plpgsql_transaction.sql
@@ -116,6 +116,19 @@ $$;
CALL transaction_test5();
+-- SECURITY DEFINER currently disallow transaction statements
+CREATE PROCEDURE transaction_test5b()
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+BEGIN
+ COMMIT;
+END;
+$$;
+
+CALL transaction_test5b();
+
+
TRUNCATE test1;
-- nested procedure calls