From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: copy.c handling for RLS is insecure |
Date: | 2014-11-27 07:03:05 |
Message-ID: | 20141127070305.GN28859@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Robert,
* Stephen Frost (sfrost(at)snowman(dot)net) wrote:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> > In DoCopy, some RLS-specific code constructs a SelectStmt to handle
> > the case where COPY TO is invoked on an RLS-protected relation. But I
> > think this step is bogus in two ways:
> >
> > /* Build FROM clause */
> > from = makeRangeVar(NULL, RelationGetRelationName(rel), 1);
> >
> > First, because relations are schema objects, there could be multiple
> > relations with the same name. The RangeVar might end up referring to
> > a different one of those objects than the user originally specified.
>
> Argh. That's certainly no good. It should just be using the RangeVar
> relation passed in from CopyStmt, no? We don't have to address the case
> where it's NULL (tho we should perhaps Assert(), just to be sure), as
> that would only happen in the COPY select_with_parens ... production and
> this is only for the normal 'COPY relname' case.
Alright, I've done the change to use the RangeVar from CopyStmt, but
also added a check wherein we verify that the relation's OID returned
from the planned query is the same as the relation's OID that we did the
RLS check on- if they're different, we throw an error. Please let me
know if there are any remaining concerns.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Jakob Egger | 2014-11-27 09:09:38 | Re: [pgsql-packagers] Palle Girgensohn's ICU patch |
Previous Message | Stephen Frost | 2014-11-27 06:58:48 | Re: OCLASS_ROWSECURITY oversights, and other kvetching |