Thread: [COMMITTERS] pgsql: Add security checks to selectivity estimation functions
[COMMITTERS] pgsql: Add security checks to selectivity estimation functions
From
Peter Eisentraut
Date:
Add security checks to selectivity estimation functions Some selectivity estimation functions run user-supplied operators over data obtained from pg_statistic without security checks, which allows those operators to leak pg_statistic data without having privileges on the underlying tables. Fix by checking that one of the following is satisfied: (1) the user has table or column privileges on the table underlying the pg_statistic data, or (2) the function implementing the user-supplied operator is leak-proof. If neither is satisfied, planning will proceed as if there are no statistics available. At least one of these is satisfied in most cases in practice. The only situations that are negatively impacted are user-defined or not-leak-proof operators on a security-barrier view. Reported-by: Robert Haas <robertmhaas@gmail.com> Author: Peter Eisentraut <peter_e@gmx.net> Author: Tom Lane <tgl@sss.pgh.pa.us> Security: CVE-2017-7484 Branch ------ REL9_6_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/c33c42362256382ed398df9dcda559cd547c68a7 Modified Files -------------- doc/src/sgml/planstats.sgml | 60 +++++++++++ src/backend/utils/adt/array_selfuncs.c | 6 +- src/backend/utils/adt/rangetypes_selfuncs.c | 22 ++++ src/backend/utils/adt/selfuncs.c | 160 ++++++++++++++++++++++------ src/include/utils/selfuncs.h | 2 + src/test/regress/expected/privileges.out | 97 +++++++++++++++++ src/test/regress/sql/privileges.sql | 61 +++++++++++ 7 files changed, 376 insertions(+), 32 deletions(-)