• Stephen Frost's avatar
    Fix column-privilege leak in error-message paths · 804b6b6d
    Stephen Frost authored
    While building error messages to return to the user,
    BuildIndexValueDescription, ExecBuildSlotValueDescription and
    ri_ReportViolation would happily include the entire key or entire row in
    the result returned to the user, even if the user didn't have access to
    view all of the columns being included.
    
    Instead, include only those columns which the user is providing or which
    the user has select rights on.  If the user does not have any rights
    to view the table or any of the columns involved then no detail is
    provided and a NULL value is returned from BuildIndexValueDescription
    and ExecBuildSlotValueDescription.  Note that, for key cases, the user
    must have access to all of the columns for the key to be shown; a
    partial key will not be returned.
    
    Further, in master only, do not return any data for cases where row
    security is enabled on the relation and row security should be applied
    for the user.  This required a bit of refactoring and moving of things
    around related to RLS- note the addition of utils/misc/rls.c.
    
    Back-patch all the way, as column-level privileges are now in all
    supported versions.
    
    This has been assigned CVE-2014-8161, but since the issue and the patch
    have already been publicized on pgsql-hackers, there's no point in trying
    to hide this commit.
    804b6b6d
rowsecurity.c 15.1 KB