Fix priv checks for ALTER <object> DEPENDS ON EXTENSION

Marking an object as dependant on an extension did not have any
privilege check whatsoever; this allowed any user to mark objects as
droppable by anyone able to DROP EXTENSION, which could be used to cause
system-wide havoc.  Disallow by checking that the calling user owns the
mentioned object.

(No constraints are placed on the extension.)

Security: CVE-2020-1720
Reported-by: Tom Lane
Discussion: 31605.1566429043@sss.pgh.pa.us

diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 1301bcb5e824d809972ee95401638e88263bbf32..3ef3bd4b06757a21cc8819e182bec59c41feddc6 100644 (file)
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -408,6 +408,19 @@ ExecAlterObjectDependsStmt(AlterObjectDependsStmt *stmt, ObjectAddress *refAddre
                get_object_address_rv(stmt->objectType, stmt->relation, stmt->objname,
                                                        stmt->objargs, &rel, AccessExclusiveLock, false);
 
+       /*
+        * Verify that the user is entitled to run the command.
+        *
+        * We don't check any privileges on the extension, because that's not
+        * needed.  The object owner is stipulating, by running this command, that
+        * the extension owner can drop the object whenever they feel like it,
+        * which is not considered a problem.
+        */
+       check_object_ownership(GetUserId(),
+                                                  stmt->objectType, address,
+                                                  stmt->objname, stmt->objargs,
+                                                  rel);
+
        /*
         * If a relation was involved, it would have been opened and locked. We
         * don't need the relation here, but we'll retain the lock until commit.