Never trust trusted and superuser fields from extension controlfile (#86)

reshke · robot-cloud-aw · commit b7f1c22b93d5 · 2026-05-05T06:01:15.000Z
For all in-core (contrib) extension, we already switch trusted options to false.
For third-party extensions, simply never trust nothing.
This makes API management of extensions consistent.
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c
@@ -1213,11 +1213,17 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control,
 	 * here so that the control flags are correctly associated with the right
 	 * script(s) if they happen to be set in secondary control files.
 	 */
-	if (control->superuser && !superuser())
+	 /* MDB does not trust control->superuser */
+	if (!superuser())
 	{
+
+		/* MDB addon */
+#if 0
 		if (extension_is_trusted(control))
 			switch_to_superuser = true;
-		else if (from_version == NULL)
+		else
+#endif
+		if (from_version == NULL)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to create extension \"%s\"",
@@ -1242,6 +1248,11 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control,
 	else
 		elog(DEBUG1, "executing extension script for \"%s\" update from version '%s' to '%s'", control->name, from_version, version);
 
+	/* MDB addons. Never trust extension's controlfile trusted and/or superuser field.
+	* XXX: rethink this if we start support SQL-level ext API */
+
+	switch_to_superuser = false;
+
 	/*
 	 * If installing a trusted extension on behalf of a non-superuser, become
 	 * the bootstrap superuser.  (This switch will be cleaned up automatically
diff --git a/src/test/modules/test_extensions/Makefile b/src/test/modules/test_extensions/Makefile
@@ -4,7 +4,7 @@ MODULE = test_extensions
 PGFILEDESC = "test_extensions - regression testing for EXTENSION support"
 
 EXTENSION = test_ext1 test_ext2 test_ext3 test_ext4 test_ext5 test_ext6 \
-            test_ext7 test_ext8 test_ext9 test_ext_cine test_ext_cor \
+            test_ext7 test_ext8 test_ext9 test_ext_mdb test_ext_cine test_ext_cor \
             test_ext_cyclic1 test_ext_cyclic2 \
             test_ext_extschema \
             test_ext_evttrig \
@@ -17,6 +17,7 @@ DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \
        test_ext7--2.0--2.1bad.sql test_ext7--2.0--2.2bad.sql \
        test_ext8--1.0.sql \
        test_ext9--1.0.sql \
+       test_ext_mdb--1.0.sql \
        test_ext_cine--1.0.sql test_ext_cine--1.0--1.1.sql \
        test_ext_cor--1.0.sql \
        test_ext_cyclic1--1.0.sql test_ext_cyclic2--1.0.sql \
@@ -27,7 +28,7 @@ DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \
        test_ext_req_schema2--1.0.sql \
        test_ext_req_schema3--1.0.sql
 
-REGRESS = test_extensions test_extdepend
+REGRESS = test_extensions test_extdepend test_mdb
 TAP_TESTS = 1
 
 # force C locale for output stability
diff --git a/src/test/modules/test_extensions/expected/test_mdb.out b/src/test/modules/test_extensions/expected/test_mdb.out
@@ -0,0 +1,15 @@
+CREATE ROLE regress_mdb_admin_user1;
+CREATE ROLE mdb_superuser;
+CREATE ROLE mdb_admin;
+GRANT mdb_admin TO regress_mdb_admin_user1;
+GRANT mdb_superuser TO regress_mdb_admin_user1;
+GRANT CREATE ON DATABASE contrib_regression TO regress_mdb_admin_user1;
+SET ROLE regress_mdb_admin_user1;
+CREATE EXTENSION test_ext_mdb;
+ERROR:  permission denied to create extension "test_ext_mdb"
+HINT:  Must have CREATE privilege on current database to create this extension.
+RESET ROLE;
+DROP ROLE mdb_superuser;
+DROP ROLE mdb_admin;
+DROP OWNED BY regress_mdb_admin_user1;
+DROP ROLE regress_mdb_admin_user1;
diff --git a/src/test/modules/test_extensions/meson.build b/src/test/modules/test_extensions/meson.build
@@ -44,6 +44,8 @@ test_install_data += files(
   'test_ext_req_schema3.control',
   'test_ext_set_schema--1.0.sql',
   'test_ext_set_schema.control',
+  'test_ext_mdb--1.0.sql',
+  'test_ext_mdb.control',
 )
 
 tests += {
diff --git a/src/test/modules/test_extensions/sql/test_mdb.sql b/src/test/modules/test_extensions/sql/test_mdb.sql
@@ -0,0 +1,22 @@
+CREATE ROLE regress_mdb_admin_user1;
+
+CREATE ROLE mdb_superuser;
+CREATE ROLE mdb_admin;
+
+GRANT mdb_admin TO regress_mdb_admin_user1;
+GRANT mdb_superuser TO regress_mdb_admin_user1;
+
+GRANT CREATE ON DATABASE contrib_regression TO regress_mdb_admin_user1;
+
+SET ROLE regress_mdb_admin_user1;
+
+CREATE EXTENSION test_ext_mdb;
+
+RESET ROLE;
+
+DROP ROLE mdb_superuser;
+DROP ROLE mdb_admin;
+
+DROP OWNED BY regress_mdb_admin_user1;
+
+DROP ROLE regress_mdb_admin_user1;
diff --git a/src/test/modules/test_extensions/test_ext_mdb--1.0.sql b/src/test/modules/test_extensions/test_ext_mdb--1.0.sql
@@ -0,0 +1,15 @@
+/* src/test/modules/test_extensions/test_ext9--1.0.sql */
+
+-- complain if script is sourced in psql, rather than via CREATE EXTENSION
+\echo Use "CREATE EXTENSION test_ext9" to load this file. \quit
+
+-- create some random data type
+create domain posint as int check (value > 0);
+
+-- use it in regular and temporary tables and functions
+
+create table ext9_table1 (f1 posint);
+
+create function ext9_even (posint) returns bool as
+  'select ($1 % 2) = 0' language sql;
+
diff --git a/src/test/modules/test_extensions/test_ext_mdb.control b/src/test/modules/test_extensions/test_ext_mdb.control
@@ -0,0 +1,6 @@
+comment = 'Test extension mdb'
+default_version = '1.0'
+schema = 'public'
+relocatable = false
+trusted = true
+superuser = false

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ test_install_data += files(`
`44`	`44`	`'test_ext_req_schema3.control',`
`45`	`45`	`'test_ext_set_schema--1.0.sql',`
`46`	`46`	`'test_ext_set_schema.control',`
	`47`	`+ 'test_ext_mdb--1.0.sql',`
	`48`	`+ 'test_ext_mdb.control',`
`47`	`49`	`)`
`48`	`50`
`49`	`51`	`tests += {`