Creator of a range type must have permission to call support functions.

Since range types can be created by non-superusers, we need to consider
their permissions.  Ideally we'd check this when the type is used, not
when it's created, but that seems like much more trouble than it's worth.
The existing restriction that the support functions be immutable already
prevents most cases where an unauthorized call to a function might be
thought a security issue, and the fact that the user has no access to
the results of the system's calls to subtype_diff closes off the other
plausible reason for concern.  So this check is basically pro-forma,
but let's make it anyway.

diff --git a/src/backend/commands/typecmds.c b/src/backend/commands/typecmds.c
index ee75600a12cf38555cbca602664bb340f352b540..84ba1a6366398f8136cb66d75899c1921e3ab2ab 100644 (file)
--- a/src/backend/commands/typecmds.c
+++ b/src/backend/commands/typecmds.c
@@ -1853,6 +1853,7 @@ findRangeCanonicalFunction(List *procname, Oid typeOid)
 {
        Oid                     argList[1];
        Oid                     procOid;
+       AclResult       aclresult;
 
        /*
         * Range canonical functions must take and return the range type, and must
@@ -1880,6 +1881,11 @@ findRangeCanonicalFunction(List *procname, Oid typeOid)
                                 errmsg("range canonical function %s must be immutable",
                                                func_signature_string(procname, 1, NIL, argList))));
 
+       /* Also, range type's creator must have permission to call function */
+       aclresult = pg_proc_aclcheck(procOid, GetUserId(), ACL_EXECUTE);
+       if (aclresult != ACLCHECK_OK)
+               aclcheck_error(aclresult, ACL_KIND_PROC, get_func_name(procOid));
+
        return procOid;
 }
 
@@ -1888,6 +1894,7 @@ findRangeSubtypeDiffFunction(List *procname, Oid subtype)
 {
        Oid                     argList[2];
        Oid                     procOid;
+       AclResult       aclresult;
 
        /*
         * Range subtype diff functions must take two arguments of the subtype,
@@ -1916,6 +1923,11 @@ findRangeSubtypeDiffFunction(List *procname, Oid subtype)
                                 errmsg("range subtype diff function %s must be immutable",
                                                func_signature_string(procname, 2, NIL, argList))));
 
+       /* Also, range type's creator must have permission to call function */
+       aclresult = pg_proc_aclcheck(procOid, GetUserId(), ACL_EXECUTE);
+       if (aclresult != ACLCHECK_OK)
+               aclcheck_error(aclresult, ACL_KIND_PROC, get_func_name(procOid));
+
        return procOid;
 }