| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Dilip Kumar <dilipbalaut(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Side effect of CVE-2017-7484 fix? |
| Date: | 2023-11-09 23:36:55 |
| Message-ID: | ZU1tF9Ev33ayhNt5@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Oct 24, 2018 at 04:01:29PM -0400, Robert Haas wrote:
> On Mon, Oct 22, 2018 at 9:47 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Dilip Kumar <dilipbalaut(at)gmail(dot)com> writes:
> > > As part of the security fix
> > > (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
> > > users from accessing the statistics of the table if the user doesn't
> > > have privileges on the table and the function is not leakproof. Now,
> > > as a side effect of this, if the user has the privileges on the root
> > > partitioned table but does not have privilege on the child tables, the
> > > user will be able to access the data of the child table but it won't
> > > be able to access the statistics of the child table. This may result
> > > in a bad plan.
> >
> > This was complained of already,
> > https://www.postgresql.org/message-id/flat/3876.1531261875%40sss.pgh.pa.us
>
> I guess you never followed up on that part, though. Any special
> reason for that, or just lack of round tuits?
Should this be added as a TODO item?
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2023-11-09 23:40:55 | Re: remove deprecated @@@ operator ? |
| Previous Message | Bruce Momjian | 2023-11-09 23:35:42 | Re: pg_walfile_name_offset can return inconsistent values |