Skip site navigation (1) Skip section navigation (2)

Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

From: "Joe Conway" <joe(dot)conway(at)mail(dot)com>
To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Peter Eisentraut" <peter_e(at)gmx(dot)net>, "PostgreSQL Development" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
Date: 2001-06-07 05:09:05
Message-ID: 005c01c0ef0f$f9a1c3d0$0705a8c0@jecw2k1 (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
> My feeling is that the name-based variants of has_table_privilege should
> perform downcasing and truncation of the supplied strings before trying
> to use them as tablename or username; see get_seq_name in
> backend/commands/sequence.c for a model.  (BTW, I only just now added
> truncation code to that routine, so look at current CVS.  Perhaps the
> routine should be renamed and placed somewhere else, so that sequence.c
> and has_table_privilege can share it.)
>

Looking at get_seq_name, it does seem like it should be called something
like get_object_name (or just get_name?) and moved to a common location. Am
I correct in thinking that this function could/should be called by any other
function (internal, C, plpgsql, or otherwise) which accepts a text
representation of a system object name?

What if I rename the get_seq_name function and move it to
backend/utils/adt/name.c (and of course change the references to it in
sequence.c)? Actually, now I'm wondering why nameout doesn't downcase and
truncate.

-- Joe




In response to

pgsql-hackers by date

Next:From: Joe ConwayDate: 2001-06-07 05:09:27
Subject: Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
Previous:From: Bruce MomjianDate: 2001-06-07 05:00:55
Subject: make check fails

pgsql-patches by date

Next:From: Joe ConwayDate: 2001-06-07 05:09:27
Subject: Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
Previous:From: Bruce MomjianDate: 2001-06-07 04:50:21
Subject: Re: take 2: show all / reset all

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group