pgsql: In REFRESH MATERIALIZED VIEW, set user ID before running user co

From: Noah Misch <noah(at)leadboat(dot)com>
To: pgsql-committers(at)lists(dot)postgresql(dot)org
Subject: pgsql: In REFRESH MATERIALIZED VIEW, set user ID before running user co
Date: 2022-05-09 15:37:46
Message-ID: E1no5SD-000lVC-2p@gemulon.postgresql.org
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-committers

In REFRESH MATERIALIZED VIEW, set user ID before running user code.

It intended to, but did not, achieve this. Adopt the new standard of
setting user ID just after locking the relation. Back-patch to v10 (all
supported versions).

Reviewed by Simon Riggs. Reported by Alvaro Herrera.

Security: CVE-2022-1552

Branch
------
REL_14_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/677a494789062ca88e0142a17bedd5415f6ab0aa

Modified Files
--------------
src/backend/commands/matview.c | 30 +++++++++++-------------------
src/test/regress/expected/privileges.out | 16 ++++++++++++++++
src/test/regress/sql/privileges.sql | 17 +++++++++++++++++
3 files changed, 44 insertions(+), 19 deletions(-)

Browse pgsql-committers by date

  From Date Subject
Next Message Tom Lane 2022-05-09 15:41:31 pgsql: Revert "Disallow infinite endpoints in generate_series() for tim
Previous Message Andrew Dunstan 2022-05-09 14:10:27 Re: pgsql: Remove command checks in tests of pg_basebackup and pg_receivewa