| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Joe Conway" <joe(at)conway-family(dot)com> |
| Cc: | "Peter Eisentraut" <peter_e(at)gmx(dot)net>, "PostgreSQL Development" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal |
| Date: | 2001-06-06 22:10:00 |
| Message-ID: | 6171.991865400@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
"Joe Conway" <joe(at)conway-family(dot)com> writes:
> I wasn't quite sure if there are changes I can/should make to
> has_table_privilege based on this discussion.
My feeling is that the name-based variants of has_table_privilege should
perform downcasing and truncation of the supplied strings before trying
to use them as tablename or username; see get_seq_name in
backend/commands/sequence.c for a model. (BTW, I only just now added
truncation code to that routine, so look at current CVS. Perhaps the
routine should be renamed and placed somewhere else, so that sequence.c
and has_table_privilege can share it.)
Peter's argument seemed to be that there shouldn't be name-based
variants at all, with which I do not agree; but perhaps that's not
what he meant.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alex Pilosov | 2001-06-06 22:14:54 | Re: [HACKERS] something smells bad |
| Previous Message | Alex Pilosov | 2001-06-06 21:58:52 | Re: [HACKERS] something smells bad |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2001-06-07 00:09:16 | Re: unary plus |
| Previous Message | Joe Conway | 2001-06-06 21:45:57 | Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal |