Thread: [COMMITTERS] pgsql: Add security checks to selectivity estimation functions
[COMMITTERS] pgsql: Add security checks to selectivity estimation functions
From
Peter Eisentraut
Date:
Add security checks to selectivity estimation functions Some selectivity estimation functions run user-supplied operators over data obtained from pg_statistic without security checks, which allows those operators to leak pg_statistic data without having privileges on the underlying tables. Fix by checking that one of the following is satisfied: (1) the user has table or column privileges on the table underlying the pg_statistic data, or (2) the function implementing the user-supplied operator is leak-proof. If neither is satisfied, planning will proceed as if there are no statistics available. At least one of these is satisfied in most cases in practice. The only situations that are negatively impacted are user-defined or not-leak-proof operators on a security-barrier view. Reported-by: Robert Haas <robertmhaas@gmail.com> Author: Peter Eisentraut <peter_e@gmx.net> Author: Tom Lane <tgl@sss.pgh.pa.us> Security: CVE-2017-7484 Branch ------ REL9_3_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/4f1b2089a1b8f82cbd28b4cd8d0e1e9f1486d2b6 Modified Files -------------- doc/src/sgml/planstats.sgml | 60 +++++++++++ src/backend/utils/adt/array_selfuncs.c | 6 +- src/backend/utils/adt/rangetypes_selfuncs.c | 22 ++++ src/backend/utils/adt/selfuncs.c | 160 ++++++++++++++++++++++------ src/include/utils/selfuncs.h | 2 + src/test/regress/expected/privileges.out | 97 +++++++++++++++++ src/test/regress/sql/privileges.sql | 61 +++++++++++ 7 files changed, 376 insertions(+), 32 deletions(-)