Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal
| От | Tom Lane |
|---|---|
| Тема | Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal |
| Дата | |
| Msg-id | 6171.991865400@sss.pgh.pa.us обсуждение |
| Ответ на | Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal ("Joe Conway" <joe@conway-family.com>) |
| Ответы |
Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole
- Solution Proposal
|
| Список | pgsql-hackers |
"Joe Conway" <joe@conway-family.com> writes:
> I wasn't quite sure if there are changes I can/should make to
> has_table_privilege based on this discussion.
My feeling is that the name-based variants of has_table_privilege should
perform downcasing and truncation of the supplied strings before trying
to use them as tablename or username; see get_seq_name in
backend/commands/sequence.c for a model. (BTW, I only just now added
truncation code to that routine, so look at current CVS. Perhaps the
routine should be renamed and placed somewhere else, so that sequence.c
and has_table_privilege can share it.)
Peter's argument seemed to be that there shouldn't be name-based
variants at all, with which I do not agree; but perhaps that's not
what he meant.
regards, tom lane
В списке pgsql-hackers по дате отправления: