From f636ab41aba215eaa3303e21a10f12d81357f1f6 Mon Sep 17 00:00:00 2001
From: Alexander Korotkov <akorotkov@postgresql.org>
Date: Thu, 22 Aug 2024 09:50:48 +0300
Subject: Avoid repeated table name lookups in createPartitionTable()

Currently, createPartitionTable() opens newly created table using its name.
This approach is prone to privilege escalation attack, because we might end
up opening another table than we just created.

This commit address the issue above by opening newly created table by its
OID.  It appears to be tricky to get a relation OID out of ProcessUtility().
We have to extend TableLikeClause with new newRelationOid field, which is
filled within ProcessUtility() to be further accessed by caller.

Security: CVE-2014-0062
Reported-by: Noah Misch
Discussion: https://postgr.es/m/20240808171351.a9.nmisch%40google.com
Reviewed-by: Pavel Borisov, Dmitry Koval
---
 src/backend/tcop/utility.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/backend/tcop/utility.c')

diff --git a/src/backend/tcop/utility.c b/src/backend/tcop/utility.c
index fa66b8017ed..b317c9ae9d6 100644
--- a/src/backend/tcop/utility.c
+++ b/src/backend/tcop/utility.c
@@ -1225,6 +1225,12 @@ ProcessUtilitySlow(ParseState *pstate,
 
 							morestmts = expandTableLikeClause(table_rv, like);
 							stmts = list_concat(morestmts, stmts);
+
+							/*
+							 * Store the OID of newly created relation to the
+							 * TableLikeClause for the caller to use it.
+							 */
+							like->newRelationOid = address.objectId;
 						}
 						else
 						{
-- 
cgit v1.2.3