Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

> I have just thought of a possible compromise.  Peter is right that we
> don't want case conversion on table names that are extracted from
> catalogs.  But I think we do want it on table names expressed as string
> literals.  Could we make the assumption that table names in catalogs
> will be of type 'name'?  If so, it'd work to make two versions of the 
> has_table_privilege function, one taking type "name" and the other
> taking type "text".  The "name" version would take its input as-is,
> the "text" version would do case folding and truncation.  This would
> work transparently for queries selecting relation names from the system
> catalogs, and it'd also work transparently for queries using unmarked
> string literals (which will be preferentially resolved as type "text").
> Worst case if the system makes the wrong choice is you throw in an
> explicit coercion to name or text.  Comments?

Seems you are adding a distinction between name and text that we never
had before.  Is it worth it to fix this case?

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026