From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Joe Conway <mail(at)joeconway(dot)com> |
Cc: | Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Pierre Ducroquet <p(dot)psql(at)pinaraf(dot)info>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Row Level Security − leakproof-ness and performance implications |
Date: | 2019-02-28 16:37:43 |
Message-ID: | CA+Tgmob2-5HjqgRYVdyg-oaY-h8Q=t=9UwWS+0=m1Tp_jLrDnQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Feb 28, 2019 at 11:14 AM Joe Conway <mail(at)joeconway(dot)com> wrote:
> > Although, and Joe may hate me for saying this, I think only the
> > non-constants should be redacted to keep some level of usability for
> > regular SQL errors. Maybe system errors like the above should be
> > removed from client messages in general.
>
> I started down this path and it looked fragile. I guess if there is
> generally enough support to think this might be viable I could open up
> that door again, but I don't want to waste time if the approach is
> really a non-starter as stated upthread :-/.
Hmm. It seems to me that if there's a function that sometimes throws
an error and other times does not, and if that behavior is dependent
on the input, then even redacting the error message down to 'ERROR:
error' does not remove the leak. So it seems to me that regardless of
what one thinks about the proposal from a usability perspective, it's
probably not correct from a security standpoint. Information that
couldn't be leaked until present rules would leak with this change,
when the new GUCs were turned on.
Am I wrong?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Joe Conway | 2019-02-28 16:44:55 | Re: Row Level Security − leakproof-ness and performance implications |
Previous Message | Tom Lane | 2019-02-28 16:26:27 | Re: Index INCLUDE vs. Bitmap Index Scan |