Add security checks to selectivity estimation functions Some selectivity estimation functions run user-supplied operators over data obtained from pg_statistic without security checks, which allows those operators to leak pg_statistic data without having privileges on the underlying tables. Fix by checking that one of the following is satisfied: (1) the user has table or column privileges on the table underlying the pg_statistic data, or (2) the function implementing the user-supplied operator is leak-proof. If neither is satisfied, planning will proceed as if there are no statistics available.
At least one of these is satisfied in most cases in practice. The only situations that are negatively impacted are user-defined or not-leak-proof operators on a security-barrier view. Reported-by: Robert Haas <robertmh...@gmail.com> Author: Peter Eisentraut <pete...@gmx.net> Author: Tom Lane <t...@sss.pgh.pa.us> Security: CVE-2017-7484 Branch ------ REL9_2_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/d035c1b970fe948c10773315a2f022204bc45df6 Modified Files -------------- doc/src/sgml/planstats.sgml | 60 ++++++++++++ src/backend/utils/adt/array_selfuncs.c | 6 +- src/backend/utils/adt/selfuncs.c | 160 +++++++++++++++++++++++++------ src/include/utils/selfuncs.h | 2 + src/test/regress/expected/privileges.out | 97 +++++++++++++++++++ src/test/regress/sql/privileges.sql | 61 ++++++++++++ 6 files changed, 354 insertions(+), 32 deletions(-) -- Sent via pgsql-committers mailing list (pgsql-committers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
