| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Sergey N(dot) Yatskevich" <syatskevich(at)n21lab(dot)gosniias(dot)msk(dot)ru> |
| Cc: | bugs-list PostgreSQL <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: Probably a security bug in PostgreSQL rule system |
| Date: | 2004-01-13 16:34:12 |
| Message-ID: | 12054.1074011652@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-general |
"Sergey N. Yatskevich" <syatskevich(at)n21lab(dot)gosniias(dot)msk(dot)ru> writes:
> Next -- test and it's output, that shows, that if view has INSERT,
> UPDATE and DELETE rules then _ANY_ user can insert, update and delete
> data in tables, that affected by this rules even user has no INSERT,
> UPDATE and DELETE privileges on view and table.
> This problem exists for at least 7.3.4 and 7.4.1 PostgreSQL versions.
I think this is the same issue discussed in this thread:
http://archives.postgresql.org/pgsql-general/2003-12/msg00551.php
and continued here:
http://archives.postgresql.org/pgsql-hackers/2003-12/msg00743.php
It's from an erroneous fix in 7.3.3 for another bug. We'll probably
have to revert that patch and try again in 7.5.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | ezra epstein | 2004-01-13 21:35:53 | Re: I find a bug (IMHO) |
| Previous Message | Tom Lane | 2004-01-13 15:48:42 | Re: I find a bug (IMHO) |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephan Szabo | 2004-01-13 16:36:21 | Re: sql insert function |
| Previous Message | Bob Powell | 2004-01-13 16:32:22 | Postgress and MYSQL |