Re: CVE-2017-7484-induced bugs, or, btree cmp functions are not leakproof?
Amit Langote <amitlangote09@gmail.com>
From: Amit Langote <amitlangote09@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Dilip Kumar <dilipbalaut@gmail.com>,
Amit Langote <Langote_Amit_f8@lab.ntt.co.jp>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2019-09-06T05:59:25Z
Lists: pgsql-hackers
Attachments
- v5-0001-Use-root-parent-s-permissions-when-reading-child-.patch (application/octet-stream) patch v5-0001
On Fri, Sep 6, 2019 at 12:53 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Amit Langote <amitlangote09@gmail.com> writes: > > On Thu, Sep 5, 2019 at 6:18 PM Dilip Kumar <dilipbalaut@gmail.com> wrote: > >> Instead of falling back to the child, isn't it make more sense to > >> check the permissions on the parent upto which we could translate (it > >> may not be the root parent)? > > > Hmm, in that case, the parent up to which we might be able to > > translate would still be a child and might have different permissions > > than the table mentioned in the query (what's being called "root" in > > this context). Would it be worth further complicating this code if > > that's the case? > > I think that checking intermediate levels would be an actively bad idea > --- it would make the behavior too confusing. We should preferably check > the table actually named in the query, or if we can't then check the > table we are using the stats of; nothing else. Agreed. > Another idea that we should consider, though, is to allow the access if > *either* of those two tables allows it. The main reason that that's > attractive is that it's certain not to break any case that works today. > But also, it would mean that in many practical cases we'd not have to > try to map Vars back up to the original parent, thus avoiding the > performance penalty. (That is, check the target table as we do now, > and only if we find it lacks permissions do we start mapping back.) Ah, that sounds like a good idea. Patch updated that way. Thanks, Amit
Commits
-
Allow access to child table statistics if user can read parent table.
- 553d2ec2710b 13.0 landed
- 21a4edd1281d 12.2 landed
- 1d9056f563f3 11.7 landed
-
Mark built-in btree comparison functions as leakproof where it's safe.
- 39a96512b3ed 12.0 landed