Re: [HACKERS] Re: Fw: Isn't pg_statistic a security hole - Solution Proposal

From: "Joe Conway" <joe(at)conway-family(dot)com>
To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, <pgsql-patches(at)postgresql(dot)org>
Cc: "Peter Eisentraut" <peter_e(at)gmx(dot)net>
Subject: Re: [HACKERS] Re: Fw: Isn't pg_statistic a security hole - Solution Proposal
Date: 2001-06-10 02:26:52
Message-ID: 021e01c0f154$d0b67820$0205a8c0@jecw2k1
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-patches

> I have just thought of a possible compromise. Peter is right that we
> don't want case conversion on table names that are extracted from
> catalogs. But I think we do want it on table names expressed as string
> literals. Could we make the assumption that table names in catalogs
> will be of type 'name'? If so, it'd work to make two versions of the
> has_table_privilege function, one taking type "name" and the other
> taking type "text". The "name" version would take its input as-is,
> the "text" version would do case folding and truncation. This would
> work transparently for queries selecting relation names from the system
> catalogs, and it'd also work transparently for queries using unmarked
> string literals (which will be preferentially resolved as type "text").
> Worst case if the system makes the wrong choice is you throw in an
> explicit coercion to name or text. Comments?

OK -- here's take #5.

It "make"s and "make check"s clean against current cvs tip.

There are now both Text and Name variants, and the regression test support
is rolled into the patch. Note that to be complete wrt Name based variants,
there are now 12 user visible versions of has_table_privilege:

has_table_privilege(Text usename, Text relname, Text priv_type)
has_table_privilege(Text usename, Name relname, Text priv_type)
has_table_privilege(Name usename, Text relname, Text priv_type)
has_table_privilege(Name usename, Name relname, Text priv_type)
has_table_privilege(Text relname, Text priv_type) /* assumes current_user */
has_table_privilege(Name relname, Text priv_type) /* assumes current_user */
has_table_privilege(Text usename, Oid reloid, Text priv_type)
has_table_privilege(Name usename, Oid reloid, Text priv_type)
has_table_privilege(Oid reloid, Text priv_type) /* assumes current_user */
has_table_privilege(Oid usesysid, Text relname, Text priv_type)
has_table_privilege(Oid usesysid, Name relname, Text priv_type)
has_table_privilege(Oid usesysid, Oid reloid, Text priv_type)

For the Text based inputs, a new internal function, get_Name is used
(shamelessly copied from get_seq_name in sequence.c) to downcase if not
quoted, or remove quotes if quoted, and truncate. I also added a few test
cases for the downcasing, quote removal, and Name based variants to the
regression test.

Only thing left (I hope!) is documentation. I'm sure I either have or can
get the DocBook tools, but I've never used them. Would it be simpler to
clone and hand edit one of the existing docs? Any suggestions to get me
started?

Thanks,

-- Joe

Attachment Content-Type Size
has_priv_r5.diff application/octet-stream 43.9 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alex Pilosov 2001-06-10 02:31:59 cstring datatype
Previous Message Bruce Momjian 2001-06-10 02:00:11 Re: Baby girl

Browse pgsql-patches by date

  From Date Subject
Next Message Joe Conway 2001-06-10 22:26:51 Fw: [HACKERS] Re: Fw: Isn't pg_statistic a security hole - Solution Proposal
Previous Message Bruce Momjian 2001-06-09 22:20:32 Re: Fw: Isn't pg_statistic a security hole - Solution Proposal