From e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Fri, 5 May 2017 12:18:48 -0400 Subject: Add security checks to selectivity estimation functions Some selectivity estimation functions run user-supplied operators over data obtained from pg_statistic without security checks, which allows those operators to leak pg_statistic data without having privileges on the underlying tables. Fix by checking that one of the following is satisfied: (1) the user has table or column privileges on the table underlying the pg_statistic data, or (2) the function implementing the user-supplied operator is leak-proof. If neither is satisfied, planning will proceed as if there are no statistics available. At least one of these is satisfied in most cases in practice. The only situations that are negatively impacted are user-defined or not-leak-proof operators on a security-barrier view. Reported-by: Robert Haas Author: Peter Eisentraut Author: Tom Lane Security: CVE-2017-7484 --- src/backend/utils/adt/array_selfuncs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/backend/utils/adt/array_selfuncs.c') diff --git a/src/backend/utils/adt/array_selfuncs.c b/src/backend/utils/adt/array_selfuncs.c index 50e81452410..cfaf87335a8 100644 --- a/src/backend/utils/adt/array_selfuncs.c +++ b/src/backend/utils/adt/array_selfuncs.c @@ -133,7 +133,8 @@ scalararraysel_containment(PlannerInfo *root, useOr = !useOr; /* Get array element stats for var, if available */ - if (HeapTupleIsValid(vardata.statsTuple)) + if (HeapTupleIsValid(vardata.statsTuple) && + statistic_proc_security_check(&vardata, cmpfunc->fn_oid)) { Form_pg_statistic stats; Datum *values; @@ -364,7 +365,8 @@ calc_arraycontsel(VariableStatData *vardata, Datum constval, */ array = DatumGetArrayTypeP(constval); - if (HeapTupleIsValid(vardata->statsTuple)) + if (HeapTupleIsValid(vardata->statsTuple) && + statistic_proc_security_check(vardata, cmpfunc->fn_oid)) { Form_pg_statistic stats; Datum *values; -- cgit v1.2.3