Skip to content

P
Postgres FD Implementation
Commit 38840723 authored by Peter Eisentraut's avatar Peter Eisentraut
Browse files
Options

Prohibit transaction commands in security definer procedures 

Starting and aborting transactions in security definer procedures
doesn't work.  StartTransaction() insists that the security context
stack is empty, so this would currently cause a crash, and
AbortTransaction() resets it.  This could be made to work by
reorganizing the code, but right now we just prohibit it.
Reported-by: default avataramul sul <sulamul@gmail.com>
Discussion: https://www.postgresql.org/message-id/flat/CAAJ_b96Gupt_LFL7uNyy3c50-wbhA68NUjiK5%3DrF6_w%3Dpq_T%3DQ%40mail.gmail.com
parent 1f4ec894
Hide whitespace changes
Inline Side-by-side
Showing with 40 additions and 0 deletions
doc/src/sgml/ref/create_procedure.sgml
View file @ 38840723
...@@ -203,6 +203,12 @@ CREATE [ OR REPLACE ] PROCEDURE ...@@ -203,6 +203,12 @@ CREATE [ OR REPLACE ] PROCEDURE
conformance, but it is optional since, unlike in SQL, this feature conformance, but it is optional since, unlike in SQL, this feature
applies to all procedures not only external ones. applies to all procedures not only external ones.
</para> </para>
<para>
A <literal>SECURITY DEFINER</literal> procedure cannot execute
transaction control statements (for example, <command>COMMIT</command>
and <command>ROLLBACK</command>, depending on the language).
</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
src/backend/commands/functioncmds.c
View file @ 38840723
...@@ -2245,6 +2245,15 @@ ExecuteCallStmt(CallStmt *stmt, ParamListInfo params, bool atomic, DestReceiver ...@@ -2245,6 +2245,15 @@ ExecuteCallStmt(CallStmt *stmt, ParamListInfo params, bool atomic, DestReceiver
if (!heap_attisnull(tp, Anum_pg_proc_proconfig, NULL)) if (!heap_attisnull(tp, Anum_pg_proc_proconfig, NULL))
callcontext->atomic = true; callcontext->atomic = true;
/*
* In security definer procedures, we can't allow transaction commands.
* StartTransaction() insists that the security context stack is empty,
* and AbortTransaction() resets the security context. This could be
* reorganized, but right now it doesn't work.
*/
if (((Form_pg_proc )GETSTRUCT(tp))->prosecdef)
callcontext->atomic = true;
/* /*
* Expand named arguments, defaults, etc. * Expand named arguments, defaults, etc.
*/ */
......
src/pl/plpgsql/src/expected/plpgsql_transaction.out
View file @ 38840723
...@@ -130,6 +130,18 @@ $$; ...@@ -130,6 +130,18 @@ $$;
CALL transaction_test5(); CALL transaction_test5();
ERROR: invalid transaction termination ERROR: invalid transaction termination
CONTEXT: PL/pgSQL function transaction_test5() line 3 at COMMIT CONTEXT: PL/pgSQL function transaction_test5() line 3 at COMMIT
-- SECURITY DEFINER currently disallow transaction statements
CREATE PROCEDURE transaction_test5b()
LANGUAGE plpgsql
SECURITY DEFINER
AS $$
BEGIN
COMMIT;
END;
$$;
CALL transaction_test5b();
ERROR: invalid transaction termination
CONTEXT: PL/pgSQL function transaction_test5b() line 3 at COMMIT
TRUNCATE test1; TRUNCATE test1;
-- nested procedure calls -- nested procedure calls
CREATE PROCEDURE transaction_test6(c text) CREATE PROCEDURE transaction_test6(c text)
......
src/pl/plpgsql/src/sql/plpgsql_transaction.sql
View file @ 38840723
...@@ -116,6 +116,19 @@ $$; ...@@ -116,6 +116,19 @@ $$;
CALL transaction_test5(); CALL transaction_test5();
-- SECURITY DEFINER currently disallow transaction statements
CREATE PROCEDURE transaction_test5b()
LANGUAGE plpgsql
SECURITY DEFINER
AS $$
BEGIN
COMMIT;
END;
$$;
CALL transaction_test5b();
TRUNCATE test1; TRUNCATE test1;
-- nested procedure calls -- nested procedure calls
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment