Re: copy.c handling for RLS is insecure

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: David Fetter <david(at)fetter(dot)org>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: copy.c handling for RLS is insecure
Date: 2014-10-06 21:13:48
Message-ID: CAOuzzgpkYdURpnofSuiiej+8QRqvxAe6OKxdqA=_ajfC55QBew@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

David,

On Monday, October 6, 2014, David Fetter <david(at)fetter(dot)org> wrote:

> On Mon, Oct 06, 2014 at 03:15:25PM -0400, Stephen Frost wrote:
>
> > > As far as I can see, the previous code only looked up any given name
> > > once. If you got a relation name, DoCopy() looked it up, and then
> > > BeginCopy() references it only by the passed-down Relation descriptor;
> > > if you got a query, DoCopy() ignores it, and then BeginCopy. All of
> > > which is fine, at least AFAICS; if you think otherwise, that should be
> > > reported to pgsql-security.
> >
> > Yeah, that's correct. I suppose there's some possible risk of things
> > changing between when you parse the query and when it actually gets
> > analyzed and rewritten, but that's not a security risk per-se..
>
> I'm not sure I understand. If that change violates an access control,
> it's a security risk /per se/, as you put it.

The case I was referring to doesn't violate an access control. I was merely
pointing out that things can change between when the query is submitted by
the user (or even later, during parse analysis) and when we
actually resolve names to OIDs.

Thanks,

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2014-10-06 22:33:59 Re: BRIN indexes - TRAP: BadArgument
Previous Message David Fetter 2014-10-06 21:01:56 Re: copy.c handling for RLS is insecure