Re: Multivariate MCV stats can leak data to unprivileged users
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Dean Rasheed <dean.a.rasheed@gmail.com>
Cc: Andres Freund <andres@anarazel.de>,
Tomas Vondra <tomas.vondra@2ndquadrant.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2019-05-18T15:13:08Z
Lists: pgsql-hackers
Dean Rasheed <dean.a.rasheed@gmail.com> writes: > On the other hand, pg_dump relies on pg_statistic_ext to work out > which extended statistics objects to dump. If we were to change that > to use pg_stats_ext, then a user dumping a table with RLS using the > --enable-row-security flag wouldn't get any extended statistics > objects, which would be a somewhat surprising result. It seems like what we need here is to have a separation between the *definition* of a stats object (which is what pg_dump needs access to) and the current actual *data* in it. I'd have expected that keeping those in separate catalogs would be the thing to do, though perhaps it's too late for that. regards, tom lane
Commits
-
Add security checks to the multivariate MCV estimation code.
- d7f8d26d9f4c 12.0 landed
-
Add pg_stats_ext view for extended statistics
- aa087ec64f70 12.0 landed
-
Rework the pg_statistic_ext catalog
- 6cbfb784c3c9 12.0 landed