On Mon, 13 May 2019 at 23:36, Tomas Vondra <tomas.von...@2ndquadrant.com> wrote: > > On Fri, May 10, 2019 at 10:19:44AM +0100, Dean Rasheed wrote: > >While working on 1aebfbea83c, I noticed that the new multivariate MCV > >stats feature suffers from the same problem, and also the original > >problems that were fixed in e2d4ef8de8 and earlier --- namely that a > >user can see values in the MCV lists that they shouldn't see (values > >from tables that they don't have privileges on). > > > >I think there are 2 separate issues here: > > > >1). The table pg_statistic_ext is accessible to anyone, so any user > >can see the MCV lists of any table. I think we should give this the > >same treatment as pg_statistic, and hide it behind a security barrier > >view, revoking public access from the table. > > > >2). The multivariate MCV stats planner code can be made to invoke > >user-defined operators, so a user can create a leaky operator and use > >it to reveal data values from the MCV lists even if they have no > >permissions on the table. > > > >Attached is a draft patch to fix (2), which hooks into > >statext_is_compatible_clause(). > > > > I think that patch is good. >
I realised that we forgot to push this second part, so I've just done so. Regards, Dean
