[Pgpool-hackers] query cache specification: possible security issue
Kääriäinen Anssi
anssi.kaariainen at thl.fi
Tue Jun 21 19:08:25 UTC 2011
Quote:
"
My proposal is using key md5(username+query_string+database_name) as
cache key. One drawback is even if a table is accessable by user A and
B, they cannot share the query cache.
Comments?
"
What about search_path? The same query string can return different results depending on that. There might be other settings which do affect the query results or visibility (set/grant/revoke role). Maybe just document these limitations?
For example I do have a database which contains multiple Django applications in different schemas, each containing auth_user table.
- Anssi
More information about the Pgpool-hackers
mailing list