Re: Multivariate MCV stats can leak data to unprivileged users
Dean Rasheed <dean.a.rasheed@gmail.com>
From: Dean Rasheed <dean.a.rasheed@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andres Freund <andres@anarazel.de>,
Tomas Vondra <tomas.vondra@2ndquadrant.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2019-05-18T15:43:29Z
Lists: pgsql-hackers
On Sat, 18 May 2019 at 16:13, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Dean Rasheed <dean.a.rasheed@gmail.com> writes: > > On the other hand, pg_dump relies on pg_statistic_ext to work out > > which extended statistics objects to dump. If we were to change that > > to use pg_stats_ext, then a user dumping a table with RLS using the > > --enable-row-security flag wouldn't get any extended statistics > > objects, which would be a somewhat surprising result. > > It seems like what we need here is to have a separation between the > *definition* of a stats object (which is what pg_dump needs access > to) and the current actual *data* in it. I'd have expected that > keeping those in separate catalogs would be the thing to do, though > perhaps it's too late for that. > Yeah, with the benefit of hindsight, that would have made sense, but that seems like a pretty big change to be attempting at this stage. Regards, Dean
Commits
-
Add security checks to the multivariate MCV estimation code.
- d7f8d26d9f4c 12.0 landed
-
Add pg_stats_ext view for extended statistics
- aa087ec64f70 12.0 landed
-
Rework the pg_statistic_ext catalog
- 6cbfb784c3c9 12.0 landed