Re: Multivariate MCV stats can leak data to unprivileged users

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Tomas Vondra <tomas.vondra@2ndquadrant.com>
Cc: Andres Freund <andres@anarazel.de>, Dean Rasheed <dean.a.rasheed@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2019-05-18T19:45:11Z
Lists: pgsql-hackers
Tomas Vondra <tomas.vondra@2ndquadrant.com> writes:
> On Sat, May 18, 2019 at 11:49:06AM -0700, Andres Freund wrote:
>>> On Sat, 18 May 2019 at 16:13, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>>> It seems like what we need here is to have a separation between the
>>>> *definition* of a stats object (which is what pg_dump needs access
>>>> to) and the current actual *data* in it.

>> Otoh, having a suboptimal catalog representation that we'll likely have
>> to change in one of the next releases also isn't great. Seems likely
>> that we'll need post beta1 catversion bumps anyway?

> But that's not an issue intruduced by PG12, it works like that even for
> the extended statistics introduced in PG10.

Yeah, but no time like the present to fix it if it's wrong ...

			regards, tom lane



Commits

  1. Add security checks to the multivariate MCV estimation code.

  2. Add pg_stats_ext view for extended statistics

  3. Rework the pg_statistic_ext catalog