From:
"Joe Conway" <joe(dot)conway(at)mail(dot)com>
To:
"Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:
"Peter Eisentraut" <peter_e(at)gmx(dot)net>,
"PostgreSQL Development" <pgsql-hackers(at)postgresql(dot)org>
Subject:
Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
Date:
2001-06-07 05:09:05
Message-ID:
005c01c0ef0f$f9a1c3d0$0705a8c0@jecw2k1 (view raw or flat )
Thread:
2001-06-01 06:31:51 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-01 15:04:10 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2001-06-01 17:18:07 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-01 22:33:30 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-02 22:14:41 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-02 23:26:12 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-03 03:22:44 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-09 22:15:54 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2001-06-09 22:18:33 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-09 22:20:32 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2001-06-02 14:49:11 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2001-06-02 15:04:05 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-03 15:18:20 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2001-06-03 17:17:21 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-06 21:45:57 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-06 22:10:00 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-07 05:09:05 from "Joe Conway" <joe(dot)conway(at)mail(dot)com>
2001-06-07 05:09:27 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-07 05:20:02 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-07 05:09:31 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-07 05:09:35 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-07 14:16:33 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2001-06-08 04:06:05 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-08 16:09:50 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2001-06-09 01:28:20 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-09 04:31:21 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-10 02:26:52 from "Joe Conway" <joe(at)conway-family(dot)com>
2001-06-12 01:44:53 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2001-06-12 01:45:31 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2001-06-12 02:32:14 from "Joe Conway" <joseph(dot)conway(at)home(dot)com>
2001-06-12 02:34:53 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2001-06-14 02:52:59 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2001-06-11 04:57:21 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2001-06-12 16:01:23 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2001-06-12 16:15:22 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2001-06-13 17:22:01 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-13 21:14:38 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2001-06-14 01:19:52 from "Joe Conway" <joseph(dot)conway(at)home(dot)com>
2001-06-14 01:27:20 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2001-06-14 01:37:00 from "Joe Conway" <joseph(dot)conway(at)home(dot)com>
2001-06-14 01:40:55 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Lists:
pgsql-hackers pgsql-patches
> My feeling is that the name-based variants of has_table_privilege should
> perform downcasing and truncation of the supplied strings before trying
> to use them as tablename or username; see get_seq_name in
> backend/commands/sequence.c for a model. (BTW, I only just now added
> truncation code to that routine, so look at current CVS. Perhaps the
> routine should be renamed and placed somewhere else, so that sequence.c
> and has_table_privilege can share it.)
>
Looking at get_seq_name, it does seem like it should be called something
like get_object_name (or just get_name?) and moved to a common location. Am
I correct in thinking that this function could/should be called by any other
function (internal, C, plpgsql, or otherwise) which accepts a text
representation of a system object name?
What if I rename the get_seq_name function and move it to
backend/utils/adt/name.c (and of course change the references to it in
sequence.c)? Actually, now I'm wondering why nameout doesn't downcase and
truncate.
-- Joe
In response to
pgsql-hackers by date
Next :From: Joe ConwayDate: 2001-06-07 05:09:27Subject : Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal Previous :From : Bruce MomjianDate : 2001-06-07 05:00:55Subject : make check fails
pgsql-patches by date
Next :From: Joe ConwayDate: 2001-06-07 05:09:27Subject : Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal Previous :From : Bruce MomjianDate : 2001-06-07 04:50:21Subject : Re: take 2: show all / reset all
