INSERT ... RETURNING does not require a SELECT privilege
--------------------------------------------------------
Key: CORE-6335
URL: http://tracker.firebirdsql.org/browse/CORE-6335
Project: Firebird Core
Issue Type: Bug
Components: Engine
Affects Versions: 4.0 Beta 2, 3.0.5, 2.5.9, 4.0 Beta 1, 3.0.4, 3.0.3,
2.5.8, 4.0 Alpha 1, 3.0.2, 2.5.7, 3.0.1, 2.5.6, 3.0.0, 4.0 Initial, 2.5.5,
2.5.4, 2.5.3 Update 1, 2.5.3, 2.5.2 Update 1, 2.5.2, 2.5.1
Reporter: Dmitry Yemanov
Priority: Minor
While UPDATE ... RETURNING and DELETE ... RETURNING require a SELECT privilege,
INSERT ... RETURNING does not enforce that. It may look logical from the first
glance, as there is usually no implicit cursor (that always exists for
UPDATE/DELETE) and there's no OLD context for INSERT, so you can read only
values from the row being inserted by yourself. However, some fields may be
assigned implicitly (DEFAULT clause, GENERATED AS IDENTITY clause, BEFORE
INSERT triggers) and the fact they can be read using the RETURNING clause looks
like a minor security issue.
RETURNING is a non-standard extension, but the SQl specification includes <data
change delta table> which is derived from rows changed by INSERT/UPDATE/DELETE
statements, And it's explicitly specified that any column referenced in <data
change delta table> require a SELECT permission on the target table for
underlying INSERT/UPDATE/DELETE.
I suspect there may be a backward compatibility issue for those using INSERT
... RETURNING <generated PK> without a SELECT privilege granted. Thus
backporting into v3 is questionable, I need other opinions in this regard.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
