git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Peter Eisentraut <peter_e@gmx.net>
	Fri, 5 May 2017 16:18:48 +0000 (12:18 -0400)
committer	Peter Eisentraut <peter_e@gmx.net>
	Mon, 8 May 2017 13:19:15 +0000 (09:19 -0400)
commit	3e5ea1f9b21c94acce01d7a5bf5bfcf36e670b0a
tree	179a6ab780b10a22a59ad8e89f184a5f6d952b5f	tree \| snapshot
parent	a6b6bb64094cdf40488bc1ac64bc2c294e7383b5	commit \| diff

Add security checks to selectivity estimation functions

Some selectivity estimation functions run user-supplied operators over
data obtained from pg_statistic without security checks, which allows
those operators to leak pg_statistic data without having privileges on
the underlying tables.  Fix by checking that one of the following is
satisfied: (1) the user has table or column privileges on the table
underlying the pg_statistic data, or (2) the function implementing the
user-supplied operator is leak-proof.  If neither is satisfied, planning
will proceed as if there are no statistics available.

At least one of these is satisfied in most cases in practice.  The only
situations that are negatively impacted are user-defined or
not-leak-proof operators on a security-barrier view.

Reported-by: Robert Haas <robertmhaas@gmail.com>
Author: Peter Eisentraut <peter_e@gmx.net>
Author: Tom Lane <tgl@sss.pgh.pa.us>

Security: CVE-2017-7484

doc/src/sgml/planstats.sgml		diff \| blob \| blame \| history
src/backend/utils/adt/array_selfuncs.c		diff \| blob \| blame \| history
src/backend/utils/adt/rangetypes_selfuncs.c		diff \| blob \| blame \| history
src/backend/utils/adt/selfuncs.c		diff \| blob \| blame \| history
src/include/utils/selfuncs.h		diff \| blob \| blame \| history
src/test/regress/expected/privileges.out		diff \| blob \| blame \| history
src/test/regress/sql/privileges.sql		diff \| blob \| blame \| history