Skip site navigation (1) Skip section navigation (2)

Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Joe Conway" <joe(at)conway-family(dot)com>
Cc: "Peter Eisentraut" <peter_e(at)gmx(dot)net>, "PostgreSQL Development" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
Date: 2001-06-06 22:10:00
Message-ID: 6171.991865400@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
"Joe Conway" <joe(at)conway-family(dot)com> writes:
> I wasn't quite sure if there are changes I can/should make to
> has_table_privilege based on this discussion.

My feeling is that the name-based variants of has_table_privilege should
perform downcasing and truncation of the supplied strings before trying
to use them as tablename or username; see get_seq_name in
backend/commands/sequence.c for a model.  (BTW, I only just now added
truncation code to that routine, so look at current CVS.  Perhaps the
routine should be renamed and placed somewhere else, so that sequence.c
and has_table_privilege can share it.)

Peter's argument seemed to be that there shouldn't be name-based
variants at all, with which I do not agree; but perhaps that's not
what he meant.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Alex PilosovDate: 2001-06-06 22:14:54
Subject: Re: [HACKERS] something smells bad
Previous:From: Alex PilosovDate: 2001-06-06 21:58:52
Subject: Re: [HACKERS] something smells bad

pgsql-patches by date

Next:From: Bruce MomjianDate: 2001-06-07 00:09:16
Subject: Re: unary plus
Previous:From: Joe ConwayDate: 2001-06-06 21:45:57
Subject: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group