Re: Is this a bug, possible security hole, or wrong assumption? - Mailing list pgsql-general

From Sander Steffann
Subject Re: Is this a bug, possible security hole, or wrong assumption?
Date
Msg-id 001601c20f96$c2f655f0$64c8a8c0@balefire10ww
Whole thread Raw
In response to Is this a bug, possible security hole, or wrong assumption?  (Mike Mascari <mascarm@mascari.com>)
List pgsql-general
Hi,

> Mike Mascari <mascarm@mascari.com> writes:
> > What appears to me is that the rewriter is just tacking the IS NULL test
> > onto the parsed query. As a result, a function is called with data from
> > a view before the evaluation of IS NULL removes those rows from the
> > selection process. Is that right? If so, is that a security problem?
>
> You're essentially asking for a guarantee about the order of evaluation
> of WHERE clauses.  There is no such guarantee, and won't be because it
> would be a crippling blow to performance.

But he is right in that his trick works. This proves that views can not be
safely used for security, which is an important thing to realise...

Sander.



pgsql-general by date:

Previous
From: "Joshua b. Jore"
Date:
Subject: Re: Problem (bug?) with deferred foreign key checks?
Next
From: Diana Senn
Date:
Subject: Re: Problem (bug?) with deferred foreign key checks?