From cd7ab57532bb4fbf2e636b1f7d132e6e2d9ac5fc Mon Sep 17 00:00:00 2001
From: Nathan Bossart <nathan@postgresql.org>
Date: Mon, 11 Nov 2024 09:00:00 -0600
Subject: Ensure cached plans are correctly marked as dependent on role.

If a CTE, subquery, sublink, security invoker view, or coercion
projection references a table with row-level security policies, we
neglected to mark the plan as potentially dependent on which role
is executing it.  This could lead to later executions in the same
session returning or hiding rows that should have been hidden or
returned instead.

Reported-by: Wolfgang Walther
Reviewed-by: Noah Misch
Security: CVE-2024-10976
Backpatch-through: 12
---
 src/backend/executor/functions.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/backend/executor/functions.c')

diff --git a/src/backend/executor/functions.c b/src/backend/executor/functions.c
index 692854e2b3e..39880663307 100644
--- a/src/backend/executor/functions.c
+++ b/src/backend/executor/functions.c
@@ -1972,6 +1972,12 @@ tlist_coercion_finished:
 		rtr->rtindex = 1;
 		newquery->jointree = makeFromExpr(list_make1(rtr), NULL);
 
+		/*
+		 * Make sure the new query is marked as having row security if the
+		 * original one does.
+		 */
+		newquery->hasRowSecurity = parse->hasRowSecurity;
+
 		/* Replace original query in the correct element of the query list */
 		lfirst(parse_cell) = newquery;
 	}
-- 
cgit v1.2.3