Skip site navigation (1) Skip section navigation (2)

Re: Probably a security bug in PostgreSQL rule system

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Sergey N(dot) Yatskevich" <syatskevich(at)n21lab(dot)gosniias(dot)msk(dot)ru>
Cc: bugs-list PostgreSQL <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: Probably a security bug in PostgreSQL rule system
Date: 2004-01-13 16:34:12
Message-ID: 12054.1074011652@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-general
"Sergey N. Yatskevich" <syatskevich(at)n21lab(dot)gosniias(dot)msk(dot)ru> writes:
> Next -- test and it's output, that shows, that if view has INSERT,
> UPDATE and DELETE rules then _ANY_ user can insert, update and delete
> data in tables, that affected by this rules even user has no INSERT,
> UPDATE and DELETE privileges on view and table.

> This problem exists for at least 7.3.4 and 7.4.1 PostgreSQL versions.

I think this is the same issue discussed in this thread:
http://archives.postgresql.org/pgsql-general/2003-12/msg00551.php
and continued here:
http://archives.postgresql.org/pgsql-hackers/2003-12/msg00743.php
It's from an erroneous fix in 7.3.3 for another bug.  We'll probably
have to revert that patch and try again in 7.5.

			regards, tom lane

In response to

pgsql-bugs by date

Next:From: ezra epsteinDate: 2004-01-13 21:35:53
Subject: Re: I find a bug (IMHO)
Previous:From: Tom LaneDate: 2004-01-13 15:48:42
Subject: Re: I find a bug (IMHO)

pgsql-general by date

Next:From: Stephan SzaboDate: 2004-01-13 16:36:21
Subject: Re: sql insert function
Previous:From: Bob PowellDate: 2004-01-13 16:32:22
Subject: Postgress and MYSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group