Home > mailing lists

Re: CREATE POLICY and RETURNING - Mailing list pgsql-hackers

From	Zhaomo Yang
Subject	Re: CREATE POLICY and RETURNING
Date	September 23, 2015 10:12:37
Msg-id	CALPr3ow+1NN1u-PLSmkBy07f0qsZ0ALxhz_Wt33s7YyYMNDn+Q@mail.gmail.com Whole thread Raw
In response to	Re: CREATE POLICY and RETURNING (Stephen Frost <sfrost@snowman.net>)
Responses	Re: CREATE POLICY and RETURNING (Stephen Frost <sfrost@snowman.net>)
List	pgsql-hackers

Stephen,

It'd be great if others who are interested can help define the grammar changes necessary
and perhaps even help with the code aspect of it.

I'd like to help on both. Can you elaborate a little bit more, especially on the code aspect?

I don't buy that argument.

It is agreed that blind updates and deletes with RETURNING clause are dangerous. It is quite similar here.

Instead of using

BEGIN

UPDATE-or-DELETE-with-RETURNING

ROLLBACK

as a substitute for SELECT, a malicious user can do a binary search with some trick like divide-by-zero

to figure out rows he is not allowed to access. Of course, this is not as serious as RETURNING, but it is still quite convenient for attackers.

Thanks,

Zhaomo

From: "Shulgin, Oleksandr"
Date: 23 September 2015, 09:28:07
Subject: Re: Calculage avg. width when operator = is missing

From: Amit Kapila
Date: 23 September 2015, 10:22:51
Subject: Re: Parallel Seq Scan