| From: | Alexander Korotkov <aekorotkov(at)gmail(dot)com> |
|---|---|
| To: | Dmitry Koval <d(dot)koval(at)postgrespro(dot)ru> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Add SPLIT PARTITION/MERGE PARTITIONS commands |
| Date: | 2024-12-09 06:36:25 |
| Message-ID: | CAPpHfdtXDuBaHscJn-wada6Kaf3fxmS4k-1TTVhpS+Kx=uveyw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi!
On Fri, Aug 30, 2024 at 11:43 AM Dmitry Koval <d(dot)koval(at)postgrespro(dot)ru> wrote:
> I plan to prepare fixes for issues from email [1] as separate commits
> (for better code readability). Attachment in this email is a variant of
> fix for the issue:
>
> > 1. Function createPartitionTable() should be rewritten using
> > partitioned table OID (not name) and without using ProcessUtility().
>
> Patch "Refactor createPartitionTable to remove ProcessUtility call"
> contains code changes + test (see file
> v33-0003-Refactor-createPartitionTable-to-remove-ProcessU.patch).
>
> But I'm not sure that refactoring createPartitionTable is the best
> solution. PostgreSQL code has issue CVE-2014-0062 (commit 5f17304) - see
> relation_openrv() call in expandTableLikeClause() function [2] (opening
> relation by name after we got relation Oid).
> Example for reproduce relation_openrv() call:
>
> CREATE TABLE t (b bigint, i int DEFAULT 100);
> CREATE TABLE t1 (LIKE t_bigint INCLUDING ALL);
>
> Commit 04158e7fa3 [3] (by Alexander Korotkov) might be a good fix for
> this issue. But if we keep commit 04158e7fa3, do we need to refactor the
> createPartitionTable function (for removing ProcessUtility)?
> Perhaps the existing code
> 1) v33-0002-Implement-ALTER-TABLE-.-SPLIT-PARTITION-.-comman.patch
> 2) v33-0003-Refactor-createPartitionTable-to-remove-ProcessU.patch +
> with patch 04158e7fa3 will look better.
>
>
> I would be very grateful for comments and suggestions.
Thank you for continuing your work on the subject. The patches
currently doesn't apply cleanly. Please, rebase.
I think getting away from expandTableLikeClause() is the right
direction to resolve the security problems. That looks great, it
finally not as complex as I thought. I think the code requires some
polishing: you need to revise the comments given its not part of LIKE
clause handling anymore.
I see fixes for the issues mentioned in [1] and [2] are still not
implemented. Do you plan to do this in this release cycle?
Links.
1. https://www.postgresql.org/message-id/CA%2BTgmoY0%3DbT_xBP8csR%3DMFE%3DFxGE2n2-me2-31jBOgEcLvW7ug%40mail.gmail.com
2. https://www.postgresql.org/message-id/859476bf-3cb0-455e-b093-b8ab5ef17f0e%40postgrespro.ru
------
Regards,
Alexander Korotkov
Supabase
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Langote | 2024-12-09 07:10:24 | Re: generic plans and "initial" pruning |
| Previous Message | Darek Ślusarczyk | 2024-12-09 06:25:51 | Re: add support for the old naming libs convention on windows (ssleay32.lib and libeay32.lib) |