From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Dilip Kumar <dilipbalaut(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Side effect of CVE-2017-7484 fix? |
Date: | 2018-10-24 20:01:29 |
Message-ID: | CA+TgmoYpeurKKmzq9TXURRXGByHqmkqK7v5mbtQV255UrxqFQg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Oct 22, 2018 at 9:47 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Dilip Kumar <dilipbalaut(at)gmail(dot)com> writes:
> > As part of the security fix
> > (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
> > users from accessing the statistics of the table if the user doesn't
> > have privileges on the table and the function is not leakproof. Now,
> > as a side effect of this, if the user has the privileges on the root
> > partitioned table but does not have privilege on the child tables, the
> > user will be able to access the data of the child table but it won't
> > be able to access the statistics of the child table. This may result
> > in a bad plan.
>
> This was complained of already,
> https://www.postgresql.org/message-id/flat/3876.1531261875%40sss.pgh.pa.us
I guess you never followed up on that part, though. Any special
reason for that, or just lack of round tuits?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Fabien COELHO | 2018-10-24 20:43:02 | Re: pgbench - add pseudo-random permutation function |
Previous Message | legrand legrand | 2018-10-24 18:18:13 | Re: Multiple Wait Events for extensions |