| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: copy.c handling for RLS is insecure |
| Date: | 2014-10-06 19:08:44 |
| Message-ID: | CA+TgmoZ73i3S=yR+qts6_WKG9PazR2zNkK1ymbCtr3jZ6RPvXw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I left out a few words there.
On Mon, Oct 6, 2014 at 3:07 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>> Hmm, that's certainly an interesting point, but I'm trying to work out
>> how this is different from normal COPY..? pg_analyze_and_rewrite()
>> happens for both cases down in BeginCopy().
>
> As far as I can see, the previous code only looked up any given name
> once. If you got a relation name, DoCopy() looked it up, and then
> BeginCopy() references it only by the passed-down Relation descriptor;
> if you got a query, DoCopy() ignores it, and then BeginCopy.
...passes it to pg_analyze_and_rewrite(), which looks up any names it contains.
> All of
> which is fine, at least AFAICS; if you think otherwise, that should be
> reported to pgsql-security. The problem with your code is that you
> start with a relation name (and thus look it up in DoCopy()) and then
> construct a query (which causes the name to be looked up again when
> the query is passed to pg_analyze_and_rewrite() from BeginCopy()) --
> and the lookup might not get the same answer both times. That is, not
> to put to fine a point on it, bad news.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2014-10-06 19:15:25 | Re: copy.c handling for RLS is insecure |
| Previous Message | Robert Haas | 2014-10-06 19:07:04 | Re: copy.c handling for RLS is insecure |