Check CREATE privilege on multirange type schema in CREATE TYPE.

This omission allowed roles to create multirange types in any
schema, potentially leading to privilege escalations.  Note that
when a multirange type name is not specified in CREATE TYPE, it is
automatically placed in the range type's schema, which is checked
at the beginning of DefineRange().

Reported-by: Jelte Fennema-Nio <postgres@jeltef.nl>
Author: Jelte Fennema-Nio <postgres@jeltef.nl>
Reviewed-by: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Tomas Vondra <tomas@vondra.me>
Security: CVE-2026-6472
Backpatch-through: 14

diff --git a/src/backend/commands/typecmds.c b/src/backend/commands/typecmds.c
index 430ec671e6efdf3ce7eb9a616db13825757dce95..690f541660c6ab2e5ce3c918712ec3db7a484017 100644 (file)
--- a/src/backend/commands/typecmds.c
+++ b/src/backend/commands/typecmds.c
@@ -1443,6 +1443,13 @@ DefineRange(ParseState *pstate, CreateRangeStmt *stmt)
                        /* we can look up the subtype name immediately */
                        multirangeNamespace = QualifiedNameGetCreationNamespace(defGetQualifiedName(defel),
                                                                                                                                        &multirangeTypeName);
+
+                       /* Check we have creation rights in target namespace */
+                       aclresult = object_aclcheck(NamespaceRelationId, multirangeNamespace,
+                                                                               GetUserId(), ACL_CREATE);
+                       if (aclresult != ACLCHECK_OK)
+                               aclcheck_error(aclresult, OBJECT_SCHEMA,
+                                                          get_namespace_name(multirangeNamespace));
                }
                else
                        ereport(ERROR,

diff --git a/src/test/regress/expected/multirangetypes.out b/src/test/regress/expected/multirangetypes.out
index 4290998912f1ba7ab4ba898b44dd872092a8418a..b5d5483018af8a6ee47d53821d811871aa73dfea 100644 (file)
--- a/src/test/regress/expected/multirangetypes.out
+++ b/src/test/regress/expected/multirangetypes.out
@@ -3115,6 +3115,22 @@ select _textrange1(textrange2('a','z')) @> 'b'::text;
 drop type textrange1;
 drop type textrange2;
 --
+-- CREATE TYPE checks for CREATE on multirange schema
+--
+create role regress_mr;
+create schema mr_sch;
+set role regress_mr;
+create type mytype as range (subtype=int4, multirange_type_name=mr_sch.mr_type);
+ERROR:  permission denied for schema mr_sch
+reset role;
+grant create on schema mr_sch to regress_mr;
+set role regress_mr;
+create type mytype as range (subtype=int4, multirange_type_name=mr_sch.mr_type);
+reset role;
+drop type mytype;
+drop schema mr_sch;
+drop role regress_mr;
+--
 -- Test polymorphic type system
 --
 create function anyarray_anymultirange_func(a anyarray, r anymultirange)

diff --git a/src/test/regress/sql/multirangetypes.sql b/src/test/regress/sql/multirangetypes.sql
index cd3b940fd313b8fa8df819274b62e4c4936678d1..d97d44ebae8996ab7687f62b347504ed50cd54bf 100644 (file)
--- a/src/test/regress/sql/multirangetypes.sql
+++ b/src/test/regress/sql/multirangetypes.sql
@@ -700,6 +700,22 @@ select _textrange1(textrange2('a','z')) @> 'b'::text;
 drop type textrange1;
 drop type textrange2;
 
+--
+-- CREATE TYPE checks for CREATE on multirange schema
+--
+create role regress_mr;
+create schema mr_sch;
+set role regress_mr;
+create type mytype as range (subtype=int4, multirange_type_name=mr_sch.mr_type);
+reset role;
+grant create on schema mr_sch to regress_mr;
+set role regress_mr;
+create type mytype as range (subtype=int4, multirange_type_name=mr_sch.mr_type);
+reset role;
+drop type mytype;
+drop schema mr_sch;
+drop role regress_mr;
+
 --
 -- Test polymorphic type system
 --