13.04.2018 18:55, Tom Lane wrote:
Although this is arguably a security bug, I'm not sure we should
back-patch it. The consequences seem relatively minor, and the
behavioral change carries a significant risk of breaking applications
that worked as-intended up to now. Thoughts?
The worst scenario (with the current system views) I could think of is:
user=> CREATE VIEW pgg AS SELECT * FROM pg_group;
BEGIN TRANSACTION; SELECT * FROM pgg FOR UPDATE; SELECT pg_sleep(60);
ROLLBACK;
and the parallel operation:
admin=> DROP ROLE testrole;
hangs for one minute.
But admin can observer the locks and kill the offending backend so it's
hardly a critical issue.
