| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: leaky views, yet again |
| Date: | 2010-10-07 13:10:22 |
| Message-ID: | 20101007131022.GQ26232@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Thu, Oct 7, 2010 at 2:02 AM, Heikki Linnakangas
> > Looks good. It gives the impression that you need to be able to a create
> > custom function to exploit, though. It would be good to mention that
> > internal functions can be used too, revoking access to CREATE FUNCTION does
> > not make you safe.
>
> OK, second try attached.
This might be overly pedantic, but I don't think 'tampering' gives the
right impression. Also, there's a marked difference between viewing
data by using built-ins such as casting (since you'll only get to see
the first value in a column that fails the cast) and being able to write
a function that pulls out every row of the table and dumps it into
another table. I think it'd have a much bigger impression if you went
ahead and changed the 'raise notice' to an 'insert into table x;'.
Also, even if you can't create functions (due to lack of create
privileges on any schema), you could use DO clauses now. Revoking
usage rights on all languages should prevent both though.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2010-10-07 13:16:38 | Re: Git cvsserver serious issue |
| Previous Message | Fujii Masao | 2010-10-07 13:08:12 | Re: Sync Rep at Oct 5 |