postgresql

mirror of https://git.postgresql.org/git/postgresql.git synced 2024-12-21 08:29:39 +08:00

History

Tom Lane 891e6e7bfd Require execute permission on the trigger function for CREATE TRIGGER. This check was overlooked when we added function execute permissions to the system years ago. For an ordinary trigger function it's not a big deal, since trigger functions execute with the permissions of the table owner, so they couldn't do anything the user issuing the CREATE TRIGGER couldn't have done anyway. However, if a trigger function is SECURITY DEFINER, that is not the case. The lack of checking would allow another user to install it on his own table and then invoke it with, essentially, forged input data; which the trigger function is unlikely to realize, so it might do something undesirable, for instance insert false entries in an audit log table. Reported by Dinesh Kumar, patch by Robert Haas Security: CVE-2012-0866		2012-02-23 15:38:56 -05:00
..
src	Require execute permission on the trigger function for CREATE TRIGGER.	2012-02-23 15:38:56 -05:00
bug.template
KNOWN_BUGS
Makefile
MISSING_FEATURES
TODO