Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

> My feeling is that the name-based variants of has_table_privilege should
> perform downcasing and truncation of the supplied strings before trying
> to use them as tablename or username; see get_seq_name in
> backend/commands/sequence.c for a model.  (BTW, I only just now added
> truncation code to that routine, so look at current CVS.  Perhaps the
> routine should be renamed and placed somewhere else, so that sequence.c
> and has_table_privilege can share it.)
>

Looking at get_seq_name, it does seem like it should be called something
like get_object_name (or just get_name?) and moved to a common location. Am
I correct in thinking that this function could/should be called by any other
function (internal, C, plpgsql, or otherwise) which accepts a text
representation of a system object name?

What if I rename the get_seq_name function and move it to
backend/utils/adt/name.c (and of course change the references to it in
sequence.c)? Actually, now I'm wondering why nameout doesn't downcase and
truncate.

-- Joe