| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: copy.c handling for RLS is insecure |
| Date: | 2014-10-06 19:04:57 |
| Message-ID: | 21901.1412622297@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>> First, because relations are schema objects, there could be multiple
>> relations with the same name. The RangeVar might end up referring to
>> a different one of those objects than the user originally specified.
> Argh. That's certainly no good. It should just be using the RangeVar
> relation passed in from CopyStmt, no?
No, it shouldn't be doing that either. That would imply looking up the
relation a second time, and then you have a race condition against
concurrent renames (the same type of security bug Robert spent a great
deal of time on, not so long ago).
Once you've identified the target relation by OID, nothing else later in
the command should be doing a fresh lookup by name. Period. If you've
got APIs in here that depend on passing RangeVars to identify relations,
those APIs are broken and need to be changed.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2014-10-06 19:07:04 | Re: copy.c handling for RLS is insecure |
| Previous Message | Peter Geoghegan | 2014-10-06 18:53:27 | Re: Last Commitfest patches waiting review |