Re: Probably a security bug in PostgreSQL rule system

Поиск
Список
Период
Сортировка
От Tom Lane
Тема Re: Probably a security bug in PostgreSQL rule system
Дата
Msg-id 12054.1074011652@sss.pgh.pa.us
обсуждение исходный текст
Ответ на Probably a security bug in PostgreSQL rule system  ("Sergey N. Yatskevich" <syatskevich@n21lab.gosniias.msk.ru>)
Список pgsql-bugs
Дерево обсуждения 
"Sergey N. Yatskevich" <syatskevich@n21lab.gosniias.msk.ru> writes:
> Next -- test and it's output, that shows, that if view has INSERT,
> UPDATE and DELETE rules then _ANY_ user can insert, update and delete
> data in tables, that affected by this rules even user has no INSERT,
> UPDATE and DELETE privileges on view and table.

> This problem exists for at least 7.3.4 and 7.4.1 PostgreSQL versions.

I think this is the same issue discussed in this thread:
http://archives.postgresql.org/pgsql-general/2003-12/msg00551.php
and continued here:
http://archives.postgresql.org/pgsql-hackers/2003-12/msg00743.php
It's from an erroneous fix in 7.3.3 for another bug.  We'll probably
have to revert that patch and try again in 7.5.

            regards, tom lane

В списке pgsql-bugs по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: I find a bug (IMHO)
Следующее
От: "PostgreSQL Bugs List"
Дата:
Сообщение: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL