Re: Multivariate MCV stats can leak data to unprivileged users - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Multivariate MCV stats can leak data to unprivileged users
Date
Msg-id 2509.1558289694@sss.pgh.pa.us
Whole thread Raw
In response to Re: Multivariate MCV stats can leak data to unprivileged users  (Tomas Vondra <tomas.vondra@2ndquadrant.com>)
Responses Re: Multivariate MCV stats can leak data to unprivileged users
List pgsql-hackers
Tomas Vondra <tomas.vondra@2ndquadrant.com> writes:
> On Sun, May 19, 2019 at 10:28:43AM -0400, Tom Lane wrote:
>> No, wait, scratch that.  We could fold the three existing types
>> pg_ndistinct, pg_dependencies, pg_mcv_list into one new type, say
>> "pg_stats_ext_data", where the actual storage would need to have an
>> ID field (so we'd waste a byte or two duplicating the externally
>> visible stxkind field inside stxdata).  The output function for this
>> type is just a switch over the existing code.  The big advantage of
>> this way compared to the current approach is that adding a new
>> ext-stats type requires *zero* work with adding new catalog entries.
>> Just add another switch case in pg_stats_ext_data_out() and you're
>> done.

> The annoying thing is that this undoes the protections provided by special
> data types generated only in internally. It's not possible to generate
> e.g. pg_mcv_list values in user code (except for C code, at which points
> all bets are off anyway). By abandoning this and reverting to bytea anyone
> could craft a bytea and claim it's a statistic value.

That would have been true of the original proposal, but not of this
modified one.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Emacs vs pg_indent's weird indentation for function declarations
Next
From: Tom Lane
Date:
Subject: Re: Remove useless associativity/precedence from parsers