Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants

Поиск
Список
Период
Сортировка
От Heikki Linnakangas
Тема Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants
Дата
Msg-id 48A09C16.6020803@enterprisedb.com
обсуждение исходный текст
Ответ на Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants  ("Heikki Linnakangas" <heikki@enterprisedb.com>)
Ответы Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-bugs
Дерево обсуждения 
Heikki Linnakangas wrote:
> Brendan O'Shea wrote:
>> There appears to be a bug in the way that permissions are determined for
>> views that contain "UNION ALL" in their definition.
>> There is a simple test case to reproduce the bug.
>>
>> 1) As a superuser create the following objects:
>>
>> CREATE ROLE test_perm LOGIN PASSWORD 'test_perm';
>>
>> CREATE OR REPLACE VIEW public.simple_select AS SELECT 1;
>> CREATE OR REPLACE VIEW public.union_all AS SELECT 1 UNION ALL SELECT 2;
>>
>>
>> 2) Now log in as the test_perm user and run the following SQL:
>>
>> select * from public.simple_select;
>> select * from public.union_all;
>>
>> The first SQL statement correctly produces an error, but the second
>> statement will return results with no error, it should instead generate a
>> permission error.
>
> Hmm, looks like pull_up_subqueries somehow loses the range table entry
> referring the original view. It's reproducible on PG version 8.2 and
> higher, 8.1 seems to work. I'll dig deeper tomorrow, unless someone else
> beats me to it.

Yep, pull_up_simple_union_all neglects to copy those range table
references that are not directly referenced in any of the UNION ALL
subqueries.

Attached is a patch for this. I have to go to sleep now, but will commit
this tomorrow unless someone comes up with a better idea. One thing that
I'm not totally happy about is that I'm using list_union, which uses
O(n^2) algorithm.

Thanks for the report!

--
   Heikki Linnakangas
   EnterpriseDB   http://www.enterprisedb.com
Index: src/backend/optimizer/prep/prepjointree.c
===================================================================
RCS file: /home/hlinnaka/pgcvsrepository/pgsql/src/backend/optimizer/prep/prepjointree.c,v
retrieving revision 1.44
diff -c -r1.44 prepjointree.c
*** src/backend/optimizer/prep/prepjointree.c    4 Oct 2006 00:29:54 -0000    1.44
--- src/backend/optimizer/prep/prepjointree.c    11 Aug 2008 19:54:30 -0000
***************
*** 487,492 ****
--- 487,500 ----
      pull_up_union_leaf_queries(subquery->setOperations, root, varno, subquery);

      /*
+      * pull_up_union_leaf_queries copied those range table entries that were
+      * referenced from one of the UNION ALL subqueries, but we need to make
+      * sure that all non-referenced ones are copied as well. They are needed
+      * for permission checks during executor startup (ExecCheckRTPerms).
+      */
+     root->parse->rtable = list_union(root->parse->rtable, subquery->rtable);
+
+     /*
       * Mark the parent as an append relation.
       */
      rte->inh = true;

В списке pgsql-bugs по дате отправления:

Предыдущее
От: "Heikki Linnakangas"
Дата:
Сообщение: Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants
Следующее
От: "Lawrence Cohan"
Дата:
Сообщение: BUG #4351: Full text search performance