From c33c42362256382ed398df9dcda559cd547c68a7 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Fri, 5 May 2017 12:18:48 -0400 Subject: Add security checks to selectivity estimation functions Some selectivity estimation functions run user-supplied operators over data obtained from pg_statistic without security checks, which allows those operators to leak pg_statistic data without having privileges on the underlying tables. Fix by checking that one of the following is satisfied: (1) the user has table or column privileges on the table underlying the pg_statistic data, or (2) the function implementing the user-supplied operator is leak-proof. If neither is satisfied, planning will proceed as if there are no statistics available. At least one of these is satisfied in most cases in practice. The only situations that are negatively impacted are user-defined or not-leak-proof operators on a security-barrier view. Reported-by: Robert Haas Author: Peter Eisentraut Author: Tom Lane Security: CVE-2017-7484 --- src/backend/utils/adt/array_selfuncs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/backend/utils/adt/array_selfuncs.c') diff --git a/src/backend/utils/adt/array_selfuncs.c b/src/backend/utils/adt/array_selfuncs.c index dd44d57e207..a3064773973 100644 --- a/src/backend/utils/adt/array_selfuncs.c +++ b/src/backend/utils/adt/array_selfuncs.c @@ -132,7 +132,8 @@ scalararraysel_containment(PlannerInfo *root, useOr = !useOr; /* Get array element stats for var, if available */ - if (HeapTupleIsValid(vardata.statsTuple)) + if (HeapTupleIsValid(vardata.statsTuple) && + statistic_proc_security_check(&vardata, cmpfunc->fn_oid)) { Form_pg_statistic stats; Datum *values; @@ -363,7 +364,8 @@ calc_arraycontsel(VariableStatData *vardata, Datum constval, */ array = DatumGetArrayTypeP(constval); - if (HeapTupleIsValid(vardata->statsTuple)) + if (HeapTupleIsValid(vardata->statsTuple) && + statistic_proc_security_check(vardata, cmpfunc->fn_oid)) { Form_pg_statistic stats; Datum *values; -- cgit v1.2.3