On 2013-05-07 21:45:02 -0400, Tom Lane wrote: > Greg Stark <st...@mit.edu> writes: > > If we just reverted your fix and didn't fix it in 9.2 that would also > > fix the crash right? The bug was only that it leaked the fact that the > > view was provably empty from the definition? > > Well, it might fail to report a permissions violation when the > not-allowed-to-be-accessed relation could be proven to yield no rows. > I agree that it's a bit hard to call that a security issue as long as > you assume that the attacker has access to the system catalogs; and > even if you don't assume that, being able to discern that there's a > check constraint on some table doesn't seem like a big leakage.
Couldn't it also cause tables not to be locked that ought to be? That seems to be the nastier part to me. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
