Home > mailing lists

Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
Date	June 6, 2001 21:10:35
Msg-id	6171.991865400@sss.pgh.pa.us Whole thread Raw
In response to	Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal ("Joe Conway" <joe@conway-family.com>)
Responses	Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal (Peter Eisentraut <peter_e@gmx.net>)
List	pgsql-hackers

Tree view

"Joe Conway" <joe@conway-family.com> writes:
> I wasn't quite sure if there are changes I can/should make to
> has_table_privilege based on this discussion.

My feeling is that the name-based variants of has_table_privilege should
perform downcasing and truncation of the supplied strings before trying
to use them as tablename or username; see get_seq_name in
backend/commands/sequence.c for a model.  (BTW, I only just now added
truncation code to that routine, so look at current CVS.  Perhaps the
routine should be renamed and placed somewhere else, so that sequence.c
and has_table_privilege can share it.)

Peter's argument seemed to be that there shouldn't be name-based
variants at all, with which I do not agree; but perhaps that's not
what he meant.
        regards, tom lane

pgsql-hackers by date:

From: Alex Pilosov
Date: 06 June 2001, 20:50:02
Subject: Re: something smells bad

From: Robert Forsman
Date: 06 June 2001, 21:40:49
Subject: Re: SQL( "if ...exists...),how to do it in the PostgreSQL?

Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal - Mailing list pgsql-hackers

Previous

Next