aboutsummaryrefslogtreecommitdiff
path: root/doc/src
diff options
context:
space:
mode:
authorPeter Eisentraut <peter@eisentraut.org>2025-06-25 09:55:04 +0200
committerPeter Eisentraut <peter@eisentraut.org>2025-06-25 09:56:49 +0200
commit0cd69b3d7ef357f2b43258de5831c4de0bd51dec (patch)
tree58eb6ee394792c6a61b45828a2f14a4bebed8a3a /doc/src
parent69e5cdc47fa1fbd97c8b8c7abe6fb0b9a9822acb (diff)
downloadpostgresql-0cd69b3d7ef357f2b43258de5831c4de0bd51dec.tar.gz
postgresql-0cd69b3d7ef357f2b43258de5831c4de0bd51dec.zip
Restrict virtual columns to use built-in functions and types
Just like selecting from a view is exploitable (CVE-2024-7348), selecting from a table with virtual generated columns is exploitable. Users who are concerned about this can avoid selecting from views, but telling them to avoid selecting from tables is less practical. To address this, this changes it so that generation expressions for virtual generated columns are restricted to using built-in functions and types, and the columns are restricted to having a built-in type. We assume that built-in functions and types cannot be exploited for this purpose. In the future, this could be expanded by some new mechanism to declare other functions and types as safe or trusted for this purpose, but that is to be designed. (An alternative approach might have been to expand the restrict_nonsystem_relation_kind GUC to handle this, like the fix for CVE-2024-7348. But that is kind of an ugly approach. That fix had to fit in the constraints of fixing an ancient vulnerability in all branches. Since virtual generated columns are new, we're free from the constraints of the past, and we can and should use cleaner options.) Reported-by: Feike Steenbergen <feikesteenbergen@gmail.com> Reviewed-by: jian he <jian.universality@gmail.com> Discussion: https://www.postgresql.org/message-id/flat/CAK_s-G2Q7de8Q0qOYUR%3D_CTB5FzzVBm5iZjOp%2BmeVWpMpmfO0w%40mail.gmail.com
Diffstat (limited to 'doc/src')
-rw-r--r--doc/src/sgml/ddl.sgml10
-rw-r--r--doc/src/sgml/ref/create_table.sgml9
2 files changed, 19 insertions, 0 deletions
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 96936bcd3ae..65bc070d2e5 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -421,6 +421,16 @@ CREATE TABLE people (
</listitem>
<listitem>
<para>
+ A virtual generated column cannot have a user-defined type, and the
+ generation expression of a virtual generated column must not reference
+ user-defined functions or types, that is, it can only use built-in
+ functions or types. This applies also indirectly, such as for functions
+ or types that underlie operators or casts. (This restriction does not
+ exist for stored generated columns.)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
A generated column cannot have a column default or an identity definition.
</para>
</listitem>
diff --git a/doc/src/sgml/ref/create_table.sgml b/doc/src/sgml/ref/create_table.sgml
index 9d92e0a3551..dc000e913c1 100644
--- a/doc/src/sgml/ref/create_table.sgml
+++ b/doc/src/sgml/ref/create_table.sgml
@@ -924,6 +924,15 @@ WITH ( MODULUS <replaceable class="parameter">numeric_literal</replaceable>, REM
not other generated columns. Any functions and operators used must be
immutable. References to other tables are not allowed.
</para>
+
+ <para>
+ A virtual generated column cannot have a user-defined type, and the
+ generation expression of a virtual generated column must not reference
+ user-defined functions or types, that is, it can only use built-in
+ functions or types. This applies also indirectly, such as for functions
+ or types that underlie operators or casts. (This restriction does not
+ exist for stored generated columns.)
+ </para>
</listitem>
</varlistentry>