Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
От | Joe Conway |
---|---|
Тема | Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal |
Дата | |
Msg-id | 006401c0ef10$0bb35070$0705a8c0@jecw2k1 обсуждение исходный текст |
Ответ на | Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal (Peter Eisentraut <peter_e@gmx.net>) |
Список | pgsql-hackers |
> My feeling is that the name-based variants of has_table_privilege should > perform downcasing and truncation of the supplied strings before trying > to use them as tablename or username; see get_seq_name in > backend/commands/sequence.c for a model. (BTW, I only just now added > truncation code to that routine, so look at current CVS. Perhaps the > routine should be renamed and placed somewhere else, so that sequence.c > and has_table_privilege can share it.) > Looking at get_seq_name, it does seem like it should be called something like get_object_name (or just get_name?) and moved to a common location. Am I correct in thinking that this function could/should be called by any other function (internal, C, plpgsql, or otherwise) which accepts a text representation of a system object name? What if I rename the get_seq_name function and move it to backend/utils/adt/name.c (and of course change the references to it in sequence.c)? Actually, now I'm wondering why nameout doesn't downcase and truncate. -- Joe
В списке pgsql-hackers по дате отправления: