From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | pgsql-committers(at)postgresql(dot)org |
Subject: | pgsql: Fix column-privilege leak in error-message paths |
Date: | 2015-01-28 17:33:39 |
Message-ID: | E1YGWUl-0004N2-O4@gemulon.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers pgsql-hackers |
Fix column-privilege leak in error-message paths
While building error messages to return to the user,
BuildIndexValueDescription, ExecBuildSlotValueDescription and
ri_ReportViolation would happily include the entire key or entire row in
the result returned to the user, even if the user didn't have access to
view all of the columns being included.
Instead, include only those columns which the user is providing or which
the user has select rights on. If the user does not have any rights
to view the table or any of the columns involved then no detail is
provided and a NULL value is returned from BuildIndexValueDescription
and ExecBuildSlotValueDescription. Note that, for key cases, the user
must have access to all of the columns for the key to be shown; a
partial key will not be returned.
Further, in master only, do not return any data for cases where row
security is enabled on the relation and row security should be applied
for the user. This required a bit of refactoring and moving of things
around related to RLS- note the addition of utils/misc/rls.c.
Back-patch all the way, as column-level privileges are now in all
supported versions.
This has been assigned CVE-2014-8161, but since the issue and the patch
have already been publicized on pgsql-hackers, there's no point in trying
to hide this commit.
Branch
------
master
Details
-------
http://git.postgresql.org/pg/commitdiff/804b6b6db4dcfc590a468e7be390738f9f7755fb
Modified Files
--------------
src/backend/access/index/genam.c | 71 ++++++++++-
src/backend/access/nbtree/nbtinsert.c | 10 +-
src/backend/commands/copy.c | 10 +-
src/backend/commands/createas.c | 4 +-
src/backend/commands/matview.c | 7 ++
src/backend/commands/trigger.c | 6 +
src/backend/executor/execMain.c | 193 +++++++++++++++++++++++------
src/backend/executor/execUtils.c | 12 +-
src/backend/rewrite/rowsecurity.c | 81 +-----------
src/backend/utils/adt/ri_triggers.c | 87 ++++++++++---
src/backend/utils/cache/plancache.c | 2 +-
src/backend/utils/misc/Makefile | 2 +-
src/backend/utils/misc/guc.c | 2 +-
src/backend/utils/misc/rls.c | 114 +++++++++++++++++
src/backend/utils/sort/tuplesort.c | 9 +-
src/include/rewrite/rowsecurity.h | 36 ------
src/include/utils/rls.h | 58 +++++++++
src/test/regress/expected/privileges.out | 31 +++++
src/test/regress/expected/rowsecurity.out | 3 -
src/test/regress/sql/privileges.sql | 25 ++++
20 files changed, 569 insertions(+), 194 deletions(-)
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2015-01-28 22:43:39 | pgsql: Clean up range-table building in copy.c |
Previous Message | Heikki Linnakangas | 2015-01-28 08:27:36 | pgsql: Fix typo in comment. |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2015-01-28 17:36:58 | Re: jsonb, unicode escapes and escaped backslashes |
Previous Message | Stephen Frost | 2015-01-28 17:30:17 | Re: PQgetssl() and alternative SSL implementations |