Never trust trusted and superuser fields from extension controlfile (#86)

reshke · rkhapov · commit 28a3f4d655bb · 2026-05-13T20:56:37.000+05:00
For all in-core (contrib) extension, we already switch trusted options to false.
For third-party extensions, simply never trust nothing.
This makes API management of extensions consistent.
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c
@@ -1032,11 +1032,17 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control,
 	 * here so that the control flags are correctly associated with the right
 	 * script(s) if they happen to be set in secondary control files.
 	 */
-	if (control->superuser && !superuser())
+	 /* MDB does not trust control->superuser */
+	if (!superuser())
 	{
+
+		/* MDB addon */
+#if 0
 		if (extension_is_trusted(control))
 			switch_to_superuser = true;
-		else if (from_version == NULL)
+		else
+#endif
+		if (from_version == NULL)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to create extension \"%s\"",
@@ -1056,6 +1062,11 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control,
 
 	filename = get_extension_script_filename(control, from_version, version);
 
+	/* MDB addons. Never trust extension's controlfile trusted and/or superuser field.
+	* XXX: rethink this if we start support SQL-level ext API */
+
+	switch_to_superuser = false;
+
 	/*
 	 * If installing a trusted extension on behalf of a non-superuser, become
 	 * the bootstrap superuser.  (This switch will be cleaned up automatically
diff --git a/src/test/modules/test_extensions/Makefile b/src/test/modules/test_extensions/Makefile
@@ -4,20 +4,21 @@ MODULE = test_extensions
 PGFILEDESC = "test_extensions - regression testing for EXTENSION support"
 
 EXTENSION = test_ext1 test_ext2 test_ext3 test_ext4 test_ext5 test_ext6 \
-            test_ext7 test_ext8 test_ext_cine test_ext_cor \
+            test_ext7 test_ext8 test_ext_mdb test_ext_cine test_ext_cor \
             test_ext_cyclic1 test_ext_cyclic2 \
             test_ext_extschema \
             test_ext_evttrig
 DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \
        test_ext4--1.0.sql test_ext5--1.0.sql test_ext6--1.0.sql \
        test_ext7--1.0.sql test_ext7--1.0--2.0.sql test_ext8--1.0.sql \
+       test_ext_mdb--1.0.sql \
        test_ext_cine--1.0.sql test_ext_cine--1.0--1.1.sql \
        test_ext_cor--1.0.sql \
        test_ext_cyclic1--1.0.sql test_ext_cyclic2--1.0.sql \
        test_ext_extschema--1.0.sql \
        test_ext_evttrig--1.0.sql test_ext_evttrig--1.0--2.0.sql
 
-REGRESS = test_extensions test_extdepend
+REGRESS = test_extensions test_extdepend test_mdb
 
 # force C locale for output stability
 NO_LOCALE = 1
diff --git a/src/test/modules/test_extensions/expected/test_mdb.out b/src/test/modules/test_extensions/expected/test_mdb.out
@@ -0,0 +1,15 @@
+CREATE ROLE regress_mdb_admin_user1;
+CREATE ROLE mdb_superuser;
+CREATE ROLE mdb_admin;
+GRANT mdb_admin TO regress_mdb_admin_user1;
+GRANT mdb_superuser TO regress_mdb_admin_user1;
+GRANT CREATE ON DATABASE contrib_regression TO regress_mdb_admin_user1;
+SET ROLE regress_mdb_admin_user1;
+CREATE EXTENSION test_ext_mdb;
+ERROR:  permission denied to create extension "test_ext_mdb"
+HINT:  Must have CREATE privilege on current database to create this extension.
+RESET ROLE;
+DROP ROLE mdb_superuser;
+DROP ROLE mdb_admin;
+DROP OWNED BY regress_mdb_admin_user1;
+DROP ROLE regress_mdb_admin_user1;
diff --git a/src/test/modules/test_extensions/sql/test_mdb.sql b/src/test/modules/test_extensions/sql/test_mdb.sql
@@ -0,0 +1,22 @@
+CREATE ROLE regress_mdb_admin_user1;
+
+CREATE ROLE mdb_superuser;
+CREATE ROLE mdb_admin;
+
+GRANT mdb_admin TO regress_mdb_admin_user1;
+GRANT mdb_superuser TO regress_mdb_admin_user1;
+
+GRANT CREATE ON DATABASE contrib_regression TO regress_mdb_admin_user1;
+
+SET ROLE regress_mdb_admin_user1;
+
+CREATE EXTENSION test_ext_mdb;
+
+RESET ROLE;
+
+DROP ROLE mdb_superuser;
+DROP ROLE mdb_admin;
+
+DROP OWNED BY regress_mdb_admin_user1;
+
+DROP ROLE regress_mdb_admin_user1;
diff --git a/src/test/modules/test_extensions/test_ext_mdb--1.0.sql b/src/test/modules/test_extensions/test_ext_mdb--1.0.sql
@@ -0,0 +1,15 @@
+/* src/test/modules/test_extensions/test_ext9--1.0.sql */
+
+-- complain if script is sourced in psql, rather than via CREATE EXTENSION
+\echo Use "CREATE EXTENSION test_ext9" to load this file. \quit
+
+-- create some random data type
+create domain posint as int check (value > 0);
+
+-- use it in regular and temporary tables and functions
+
+create table ext9_table1 (f1 posint);
+
+create function ext9_even (posint) returns bool as
+  'select ($1 % 2) = 0' language sql;
+
diff --git a/src/test/modules/test_extensions/test_ext_mdb.control b/src/test/modules/test_extensions/test_ext_mdb.control
@@ -0,0 +1,6 @@
+comment = 'Test extension mdb'
+default_version = '1.0'
+schema = 'public'
+relocatable = false
+trusted = true
+superuser = false
