From d1b8b8fbea0b34907b9571d2f7506e2089adb011 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 23 Feb 2012 15:39:20 -0500 Subject: [PATCH] Require execute permission on the trigger function for CREATE TRIGGER. This check was overlooked when we added function execute permissions to the system years ago. For an ordinary trigger function it's not a big deal, since trigger functions execute with the permissions of the table owner, so they couldn't do anything the user issuing the CREATE TRIGGER couldn't have done anyway. However, if a trigger function is SECURITY DEFINER, that is not the case. The lack of checking would allow another user to install it on his own table and then invoke it with, essentially, forged input data; which the trigger function is unlikely to realize, so it might do something undesirable, for instance insert false entries in an audit log table. Reported by Dinesh Kumar, patch by Robert Haas Security: CVE-2012-0866 --- doc/src/sgml/ref/create_trigger.sgml | 3 ++- src/backend/commands/trigger.c | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/ref/create_trigger.sgml b/doc/src/sgml/ref/create_trigger.sgml index 9cbdcf91651..d799e466129 100644 --- a/doc/src/sgml/ref/create_trigger.sgml +++ b/doc/src/sgml/ref/create_trigger.sgml @@ -176,7 +176,8 @@ CREATE TRIGGER name { BEFORE | AFTE To create a trigger on a table, the user must have the - TRIGGER privilege on the table. + TRIGGER privilege on the table. The user must + also have EXECUTE privilege on the trigger function. diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c index 2fc35eed29b..ebc1cce09e9 100644 --- a/src/backend/commands/trigger.c +++ b/src/backend/commands/trigger.c @@ -188,6 +188,10 @@ CreateTrigger(CreateTrigStmt *stmt, Oid constraintOid) * Find and validate the trigger function. */ funcoid = LookupFuncName(stmt->funcname, 0, fargtypes, false); + aclresult = pg_proc_aclcheck(funcoid, GetUserId(), ACL_EXECUTE); + if (aclresult != ACLCHECK_OK) + aclcheck_error(aclresult, ACL_KIND_PROC, + NameListToString(stmt->funcname)); funcrettype = get_func_rettype(funcoid); if (funcrettype != TRIGGEROID) { -- 2.39.5