projects / postgresql / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 55eebb8) | patch
Fix security checks for selectivity estimation functions with RLS.
authorDean Rasheed <dean.a.rasheed@gmail.com>
Mon, 6 May 2019 10:45:01 +0000 (11:45 +0100)
committerDean Rasheed <dean.a.rasheed@gmail.com>
Mon, 6 May 2019 10:45:01 +0000 (11:45 +0100)
commit085d64d9d236315dd646f42e195f822aeb15c54e
tree45b5f68cc6fe7a1066ea4829a14f3645977ef5dctree | snapshot
parent55eebb80005c34652234ff4a8db58914d83d47e6commit | diff
Fix security checks for selectivity estimation functions with RLS.

In commit e2d4ef8de8, security checks were added to prevent
user-supplied operators from running over data from pg_statistic
unless the user has table or column privileges on the table, or the
operator is leakproof. For a table with RLS, however, checking for
table or column privileges is insufficient, since that does not
guarantee that the user has permission to view all of the column's
data.

Fix this by also checking for securityQuals on the RTE, and insisting
that the operator be leakproof if there are any. Thus the
leakproofness check will only be skipped if there are no securityQuals
and the user has table or column privileges on the table -- i.e., only
if we know that the user has access to all the data in the column.

Back-patch to 9.5 where RLS was added.

Dean Rasheed, reviewed by Jonathan Katz and Stephen Frost.

Security: CVE-2019-10130
src/backend/utils/adt/selfuncs.c diff | blob | history
src/test/regress/expected/rowsecurity.out diff | blob | history
src/test/regress/sql/rowsecurity.sql diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.