You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Plug RLS related information leak in pg_stats view.
The pg_stats view is supposed to be restricted to only show rows
about tables the user can read. However, it sometimes can leak
information which could not otherwise be seen when row level security
is enabled. Fix that by not showing pg_stats rows to users that would
be subject to RLS on the table the row is related to. This is done
by creating/using the newly introduced SQL visible function,
row_security_active().
Along the way, clean up three call sites of check_enable_rls(). The second
argument of that function should only be specified as other than
InvalidOid when we are checking as a different user than the current one,
as in when querying through a view. These sites were passing GetUserId()
instead of InvalidOid, which can cause the function to return incorrect
results if the current user has the BYPASSRLS privilege and row_security
has been set to OFF.
Additionally fix a bug causing RI Trigger error messages to unintentionally
leak information when RLS is enabled, and other minor cleanup and
improvements. Also add WITH (security_barrier) to the definition of pg_stats.
Bumped CATVERSION due to new SQL functions and pg_stats view definition.
Back-patch to 9.5 where RLS was introduced. Reported by Yaroslav.
Patch by Joe Conway and Dean Rasheed with review and input by
Michael Paquier and Stephen Frost.
Copy file name to clipboardExpand all lines: src/include/catalog/pg_proc.h
+6
Original file line number
Diff line number
Diff line change
@@ -5343,6 +5343,12 @@ DESCR("get progress for all replication origins");
5343
5343
#define PROVOLATILE_STABLE 's' /* does not change within a scan */
5344
5344
#define PROVOLATILE_VOLATILE 'v' /* can change even within a scan */
5345
5345
5346
+
/* rls */
5347
+
DATA(insert OID = 3298 ( row_security_active PGNSP PGUID 12 1 0 0 0 f f f f t f s 1 0 16 "26" _null_ _null_ _null_ _null_ _null_ row_security_active _null_ _null_ _null_ ));
5348
+
DESCR("row security for current context active on table by table oid");
5349
+
DATA(insert OID = 3299 ( row_security_active PGNSP PGUID 12 1 0 0 0 f f f f t f s 1 0 16 "25" _null_ _null_ _null_ _null_ _null_ row_security_active_name _null_ _null_ _null_ ));
5350
+
DESCR("row security for current context active on table by table name");
5351
+
5346
5352
/*
5347
5353
* Symbolic values for proargmodes column. Note that these must agree with
5348
5354
* the FunctionParameterMode enum in parsenodes.h; we declare them here to
Copy file name to clipboardExpand all lines: src/test/regress/expected/rules.out
+1-1
Original file line number
Diff line number
Diff line change
@@ -2061,7 +2061,7 @@ pg_stats| SELECT n.nspname AS schemaname,
2061
2061
JOIN pg_class c ON ((c.oid = s.starelid)))
2062
2062
JOIN pg_attribute a ON (((c.oid = a.attrelid) AND (a.attnum = s.staattnum))))
2063
2063
LEFT JOIN pg_namespace n ON ((n.oid = c.relnamespace)))
2064
-
WHERE ((NOT a.attisdropped) AND has_column_privilege(c.oid, a.attnum, 'select'::text));
2064
+
WHERE ((NOT a.attisdropped) AND has_column_privilege(c.oid, a.attnum, 'select'::text) AND ((c.relrowsecurity = false) OR (NOT row_security_active(c.oid))));
0 commit comments