Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

From: "Joe Conway" <joe(at)conway-family(dot)com>
To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Peter Eisentraut" <peter_e(at)gmx(dot)net>, "PostgreSQL Development" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
Date: 2001-06-07 05:09:35
Message-ID: 006401c0ef10$0bb35070$0705a8c0@jecw2k1
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-patches

> My feeling is that the name-based variants of has_table_privilege should
> perform downcasing and truncation of the supplied strings before trying
> to use them as tablename or username; see get_seq_name in
> backend/commands/sequence.c for a model. (BTW, I only just now added
> truncation code to that routine, so look at current CVS. Perhaps the
> routine should be renamed and placed somewhere else, so that sequence.c
> and has_table_privilege can share it.)
>

Looking at get_seq_name, it does seem like it should be called something
like get_object_name (or just get_name?) and moved to a common location. Am
I correct in thinking that this function could/should be called by any other
function (internal, C, plpgsql, or otherwise) which accepts a text
representation of a system object name?

What if I rename the get_seq_name function and move it to
backend/utils/adt/name.c (and of course change the references to it in
sequence.c)? Actually, now I'm wondering why nameout doesn't downcase and
truncate.

-- Joe

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Joe Conway 2001-06-07 05:20:02 sorry for the repeats - no spam intended :-)
Previous Message Joe Conway 2001-06-07 05:09:31 Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

Browse pgsql-patches by date

  From Date Subject
Next Message Joe Conway 2001-06-07 05:20:02 sorry for the repeats - no spam intended :-)
Previous Message Joe Conway 2001-06-07 05:09:31 Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal