aboutsummaryrefslogtreecommitdiff
path: root/src/backend/optimizer/path/allpaths.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/backend/optimizer/path/allpaths.c')
-rw-r--r--src/backend/optimizer/path/allpaths.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/backend/optimizer/path/allpaths.c b/src/backend/optimizer/path/allpaths.c
index 815b996a131..b3777eae2e4 100644
--- a/src/backend/optimizer/path/allpaths.c
+++ b/src/backend/optimizer/path/allpaths.c
@@ -744,6 +744,11 @@ set_subquery_pathlist(PlannerInfo *root, RelOptInfo *rel,
* pseudoconstant clauses; better to have the gating node above the
* subquery.
*
+ * Also, if the sub-query has "security_barrier" flag, it means the
+ * sub-query originated from a view that must enforce row-level security.
+ * We must not push down quals in order to avoid information leaks, either
+ * via side-effects or error output.
+ *
* Non-pushed-down clauses will get evaluated as qpquals of the
* SubqueryScan node.
*
@@ -762,7 +767,16 @@ set_subquery_pathlist(PlannerInfo *root, RelOptInfo *rel,
RestrictInfo *rinfo = (RestrictInfo *) lfirst(l);
Node *clause = (Node *) rinfo->clause;
+ /*
+ * XXX. You might wonder why we're testing rte->security_barrier
+ * qual-by-qual here rather than hoisting the test up into the
+ * surrounding if statement; after all, the answer will be the
+ * same for all quals. The answer is that we expect to shortly
+ * change this logic to allow pushing down some quals that use only
+ * "leakproof" operators even through a security barrier.
+ */
if (!rinfo->pseudoconstant &&
+ !rte->security_barrier &&
qual_is_pushdown_safe(subquery, rti, clause, differentTypes))
{
/* Push it down */