Require update permission for the large object written by lo_put().

lo_put() surely should require UPDATE permission, the same as lowrite(), but it failed to check for that, as reported by Chapman Flack. Oversight in commit c50b7c09d; backpatch to 9.4 where that was introduced. Tom Lane and Michael Paquier Security: CVE-2017-7548
author: Tom Lane <tgl@sss.pgh.pa.us> 2017-08-07 10:19:01 -0400
committer: Tom Lane <tgl@sss.pgh.pa.us> 2017-08-07 10:19:22 -0400
commit: f1cda6d6cbb2b551331802cab57957fa5307cf2c (patch)
tree: 7da145bc52d84c8413028bb7a5a2f56b7476359e /src/backend/libpq/be-fsstubs.c
parent: b6e39ca92eeee4e5fa0e83ce3e04dad82559983f (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/src/backend/libpq/be-fsstubs.c b/src/backend/libpq/be-fsstubs.c
index 52bac4337d3..bcc90b9be2a 100644
--- a/src/backend/libpq/be-fsstubs.c
+++ b/src/backend/libpq/be-fsstubs.c
@@ -898,6 +898,18 @@ lo_put(PG_FUNCTION_ARGS)
 	CreateFSContext();
 
 	loDesc = inv_open(loOid, INV_WRITE, fscxt);
+
+	/* Permission check */
+	if (!lo_compat_privileges &&
+		pg_largeobject_aclcheck_snapshot(loDesc->id,
+										 GetUserId(),
+										 ACL_UPDATE,
+										 loDesc->snapshot) != ACLCHECK_OK)
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("permission denied for large object %u",
+						loDesc->id)));
+
 	inv_seek(loDesc, offset, SEEK_SET);
 	written = inv_write(loDesc, VARDATA_ANY(str), VARSIZE_ANY_EXHDR(str));
 	Assert(written == VARSIZE_ANY_EXHDR(str));
author	Tom Lane <tgl@sss.pgh.pa.us>	2017-08-07 10:19:01 -0400
committer	Tom Lane <tgl@sss.pgh.pa.us>	2017-08-07 10:19:22 -0400
commit	f1cda6d6cbb2b551331802cab57957fa5307cf2c (patch)
tree	7da145bc52d84c8413028bb7a5a2f56b7476359e /src/backend/libpq/be-fsstubs.c
parent	b6e39ca92eeee4e5fa0e83ce3e04dad82559983f (diff)