Fix priv checks for ALTER <object> DEPENDS ON EXTENSION Marking an object as dependant on an extension did not have any privilege check whatsoever; this allowed any user to mark objects as droppable by anyone able to DROP EXTENSION, which could be used to cause system-wide havoc. Disallow by checking that the calling user owns the mentioned object.
(No constraints are placed on the extension.) Security: CVE-2020-1720 Reported-by: Tom Lane Discussion: [email protected] Branch ------ REL_12_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/2ad125322d5be8b264f2b0945d7dd23ba3ace60e Modified Files -------------- src/backend/commands/alter.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
