From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | David Fetter <david(at)fetter(dot)org> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: copy.c handling for RLS is insecure |
Date: | 2014-10-06 21:13:48 |
Message-ID: | CAOuzzgpkYdURpnofSuiiej+8QRqvxAe6OKxdqA=_ajfC55QBew@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
David,
On Monday, October 6, 2014, David Fetter <david(at)fetter(dot)org> wrote:
> On Mon, Oct 06, 2014 at 03:15:25PM -0400, Stephen Frost wrote:
>
> > > As far as I can see, the previous code only looked up any given name
> > > once. If you got a relation name, DoCopy() looked it up, and then
> > > BeginCopy() references it only by the passed-down Relation descriptor;
> > > if you got a query, DoCopy() ignores it, and then BeginCopy. All of
> > > which is fine, at least AFAICS; if you think otherwise, that should be
> > > reported to pgsql-security.
> >
> > Yeah, that's correct. I suppose there's some possible risk of things
> > changing between when you parse the query and when it actually gets
> > analyzed and rewritten, but that's not a security risk per-se..
>
> I'm not sure I understand. If that change violates an access control,
> it's a security risk /per se/, as you put it.
The case I was referring to doesn't violate an access control. I was merely
pointing out that things can change between when the query is submitted by
the user (or even later, during parse analysis) and when we
actually resolve names to OIDs.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2014-10-06 22:33:59 | Re: BRIN indexes - TRAP: BadArgument |
Previous Message | David Fetter | 2014-10-06 21:01:56 | Re: copy.c handling for RLS is insecure |