Home > mailing lists

Re: Probably a security bug in PostgreSQL rule system - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: Probably a security bug in PostgreSQL rule system
Date	January 13, 2004 15:34:57
Msg-id	12054.1074011652@sss.pgh.pa.us Whole thread Raw
In response to	Probably a security bug in PostgreSQL rule system ("Sergey N. Yatskevich" <syatskevich@n21lab.gosniias.msk.ru>)
List	pgsql-bugs

Tree view

"Sergey N. Yatskevich" <syatskevich@n21lab.gosniias.msk.ru> writes:
> Next -- test and it's output, that shows, that if view has INSERT,
> UPDATE and DELETE rules then _ANY_ user can insert, update and delete
> data in tables, that affected by this rules even user has no INSERT,
> UPDATE and DELETE privileges on view and table.

> This problem exists for at least 7.3.4 and 7.4.1 PostgreSQL versions.

I think this is the same issue discussed in this thread:
http://archives.postgresql.org/pgsql-general/2003-12/msg00551.php
and continued here:
http://archives.postgresql.org/pgsql-hackers/2003-12/msg00743.php
It's from an erroneous fix in 7.3.3 for another bug.  We'll probably
have to revert that patch and try again in 7.5.

            regards, tom lane

pgsql-bugs by date:

From: Tom Lane
Date: 13 January 2004, 14:49:14
Subject: Re: I find a bug (IMHO)

From: "PostgreSQL Bugs List"
Date: 14 January 2004, 11:48:37
Subject: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL

Re: Probably a security bug in PostgreSQL rule system - Mailing list pgsql-bugs

Previous

Next