git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 8 Feb 2021 15:14:09 +0000 (10:14 -0500)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 8 Feb 2021 15:14:09 +0000 (10:14 -0500)
commit	d525fbcfd167b28818301d0a2d3548ae6a744588
tree	decbe98ebc717a8d3448171f8232baf0494451fb	tree \| snapshot
parent	8e56684d54d44ba4ed737d5847d31fba6fb13763	commit \| diff

Fix mishandling of column-level SELECT privileges for join aliases.

scanNSItemForColumn, expandNSItemAttrs, and ExpandSingleTable would
pass the wrong RTE to markVarForSelectPriv when dealing with a join
ParseNamespaceItem: they'd pass the join RTE, when what we need to
mark is the base table that the join column came from.  The end
result was to not fill the base table's selectedCols bitmap correctly,
resulting in an understatement of the set of columns that are read
by the query.  The executor would still insist on there being at
least one selectable column; but with a correctly crafted query,
a user having SELECT privilege on just one column of a table would
nonetheless be allowed to read all its columns.

To fix, make markRTEForSelectPriv fetch the correct RTE for itself,
ignoring the possibly-mismatched RTE passed by the caller.  Later,
we'll get rid of some now-unused RTE arguments, but that risks
API breaks so we won't do it in released branches.

This problem was introduced by commit 9ce77d75c, so back-patch
to v13 where that came in.  Thanks to Sven Klemm for reporting
the problem.

Security: CVE-2021-20229

src/backend/parser/parse_relation.c		diff \| blob \| blame \| history
src/backend/parser/parse_target.c		diff \| blob \| blame \| history
src/test/regress/expected/privileges.out		diff \| blob \| blame \| history
src/test/regress/sql/privileges.sql		diff \| blob \| blame \| history