Skip site navigation (1) Skip section navigation (2)

Re: Probably a security bug in PostgreSQL rule system

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Sergey N(dot) Yatskevich" <syatskevich(at)n21lab(dot)gosniias(dot)msk(dot)ru>
Cc: bugs-list PostgreSQL <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: Probably a security bug in PostgreSQL rule system
Date: 2004-01-13 16:34:12
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-bugspgsql-general
"Sergey N. Yatskevich" <syatskevich(at)n21lab(dot)gosniias(dot)msk(dot)ru> writes:
> Next -- test and it's output, that shows, that if view has INSERT,
> UPDATE and DELETE rules then _ANY_ user can insert, update and delete
> data in tables, that affected by this rules even user has no INSERT,
> UPDATE and DELETE privileges on view and table.

> This problem exists for at least 7.3.4 and 7.4.1 PostgreSQL versions.

I think this is the same issue discussed in this thread:
and continued here:
It's from an erroneous fix in 7.3.3 for another bug.  We'll probably
have to revert that patch and try again in 7.5.

			regards, tom lane

In response to

pgsql-bugs by date

Next:From: ezra epsteinDate: 2004-01-13 21:35:53
Subject: Re: I find a bug (IMHO)
Previous:From: Tom LaneDate: 2004-01-13 15:48:42
Subject: Re: I find a bug (IMHO)

pgsql-general by date

Next:From: Stephan SzaboDate: 2004-01-13 16:36:21
Subject: Re: sql insert function
Previous:From: Bob PowellDate: 2004-01-13 16:32:22
Subject: Postgress and MYSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group