Re: CREATE POLICY and RETURNING

Поиск

Список

Период

Сортировка

От	Zhaomo Yang
Тема	Re: CREATE POLICY and RETURNING
Дата	23 сентября 2015 г. 10:12:37
Msg-id	CALPr3ow+1NN1u-PLSmkBy07f0qsZ0ALxhz_Wt33s7YyYMNDn+Q@mail.gmail.com обсуждение исходный текст
Ответ на	Re: CREATE POLICY and RETURNING (Stephen Frost <sfrost@snowman.net>)
Ответы	Re: CREATE POLICY and RETURNING (Stephen Frost <sfrost@snowman.net>)
Список	pgsql-hackers

Stephen,

It'd be great if others who are interested can help define the grammar changes necessary
and perhaps even help with the code aspect of it.

I'd like to help on both. Can you elaborate a little bit more, especially on the code aspect?

I don't buy that argument.

It is agreed that blind updates and deletes with RETURNING clause are dangerous. It is quite similar here.

Instead of using

BEGIN

UPDATE-or-DELETE-with-RETURNING

ROLLBACK

as a substitute for SELECT, a malicious user can do a binary search with some trick like divide-by-zero

to figure out rows he is not allowed to access. Of course, this is not as serious as RETURNING, but it is still quite convenient for attackers.

Thanks,

Zhaomo

В списке pgsql-hackers по дате отправления:

От: "Shulgin, Oleksandr"
Дата: 23 сентября 2015 г., 09:28:07
Сообщение: Re: Calculage avg. width when operator = is missing

От: Amit Kapila
Дата: 23 сентября 2015 г., 10:22:51
Сообщение: Re: Parallel Seq Scan