Re: Multivariate MCV stats can leak data to unprivileged users

On Sun, Jun 23, 2019 at 06:56:53PM +0100, Dean Rasheed wrote:
>On Mon, 13 May 2019 at 23:36, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com> wrote:
>>
>> On Fri, May 10, 2019 at 10:19:44AM +0100, Dean Rasheed wrote:
>> >While working on 1aebfbea83c, I noticed that the new multivariate MCV
>> >stats feature suffers from the same problem, and also the original
>> >problems that were fixed in e2d4ef8de8 and earlier --- namely that a
>> >user can see values in the MCV lists that they shouldn't see (values
>> >from tables that they don't have privileges on).
>> >
>> >I think there are 2 separate issues here:
>> >
>> >1). The table pg_statistic_ext is accessible to anyone, so any user
>> >can see the MCV lists of any table. I think we should give this the
>> >same treatment as pg_statistic, and hide it behind a security barrier
>> >view, revoking public access from the table.
>> >
>> >2). The multivariate MCV stats planner code can be made to invoke
>> >user-defined operators, so a user can create a leaky operator and use
>> >it to reveal data values from the MCV lists even if they have no
>> >permissions on the table.
>> >
>> >Attached is a draft patch to fix (2), which hooks into
>> >statext_is_compatible_clause().
>> >
>>
>> I think that patch is good.
>>
>
>I realised that we forgot to push this second part, so I've just done so.
>

Whoops! Too many patches in this thread. Thanks for noticing.

regards

--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services