Обсуждение: Re: [COMMITTERS] pgsql: Fix column-privilege leak in error-message paths
Stephen Frost <sfrost@snowman.net> writes:
> Fix column-privilege leak in error-message paths
This patch is at least one brick shy of a load:
regression=# create table t1 (f1 int);
CREATE TABLE
regression=# create unique index on t1 (abs(f1));
CREATE INDEX
regression=# create user joe;
CREATE ROLE
regression=# grant insert on t1 to joe;
GRANT
regression=# \c - joe
You are now connected to database "regression" as user "joe".
regression=> insert into t1 values (1);
INSERT 0 1
regression=> insert into t1 values (1);
ERROR: attribute 0 of relation with OID 45155 does not exist
The cause of that is the logic added to BuildIndexValueDescription, which
ignores the possibility that some of the index columns are expressions
(which will have a zero in indkey[]).
I'm not sure that it's worth trying to drill down and determine exactly
which column(s) are referenced by an expression. I'd be content if we
just decided that any index expression is off-limits to someone without
full SELECT access, which could be achieved with something like
{ AttrNumber attnum = idxrec->indkey.values[keyno];
- aclresult = pg_attribute_aclcheck(indrelid, attnum, GetUserId(),
- ACL_SELECT);
-
- if (aclresult != ACLCHECK_OK)
+ if (attnum == InvalidAttrNumber ||
+ pg_attribute_aclcheck(indrelid, attnum, GetUserId(),
+ ACL_SELECT) != ACLCHECK_OK) { /* No access, so clean up and
return*/ ReleaseSysCache(ht_idx);
(though a comment about it wouldn't be a bad thing either)
regards, tom lane
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Fix column-privilege leak in error-message paths
>
> This patch is at least one brick shy of a load:
>
> regression=# create table t1 (f1 int);
> CREATE TABLE
> regression=# create unique index on t1 (abs(f1));
> CREATE INDEX
> regression=# create user joe;
> CREATE ROLE
> regression=# grant insert on t1 to joe;
> GRANT
> regression=# \c - joe
> You are now connected to database "regression" as user "joe".
> regression=> insert into t1 values (1);
> INSERT 0 1
> regression=> insert into t1 values (1);
> ERROR: attribute 0 of relation with OID 45155 does not exist
Urgh.
> The cause of that is the logic added to BuildIndexValueDescription, which
> ignores the possibility that some of the index columns are expressions
> (which will have a zero in indkey[]).
Ah, yes, I didn't expect that, clearly.
> I'm not sure that it's worth trying to drill down and determine exactly
> which column(s) are referenced by an expression. I'd be content if we
> just decided that any index expression is off-limits to someone without
> full SELECT access, which could be achieved with something like
Sounds perfectly reasonable to me.
> {
> AttrNumber attnum = idxrec->indkey.values[keyno];
>
> - aclresult = pg_attribute_aclcheck(indrelid, attnum, GetUserId(),
> - ACL_SELECT);
> -
> - if (aclresult != ACLCHECK_OK)
> + if (attnum == InvalidAttrNumber ||
> + pg_attribute_aclcheck(indrelid, attnum, GetUserId(),
> + ACL_SELECT) != ACLCHECK_OK)
> {
> /* No access, so clean up and return */
> ReleaseSysCache(ht_idx);
Yup, that looks good to me.
> (though a comment about it wouldn't be a bad thing either)
Agreed.
Will handle shortly.
Thanks!
Stephen
Tom, * Tom Lane (tgl@sss.pgh.pa.us) wrote: > Stephen Frost <sfrost@snowman.net> writes: > > Fix column-privilege leak in error-message paths [...] > The cause of that is the logic added to BuildIndexValueDescription, which > ignores the possibility that some of the index columns are expressions > (which will have a zero in indkey[]). > > I'm not sure that it's worth trying to drill down and determine exactly > which column(s) are referenced by an expression. I'd be content if we > just decided that any index expression is off-limits to someone without > full SELECT access, which could be achieved with something like Commit pushed with this approach. > (though a comment about it wouldn't be a bad thing either) and a comment added explaining it. Thanks again for pointing it out and please let me know if you see any further issues. Stephen