Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZuuW-005D6m-Jr for pgsql-hackers@arkaria.postgresql.org; Fri, 02 Aug 2024 16:13:44 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sZuuT-001aZU-VS for pgsql-hackers@arkaria.postgresql.org; Fri, 02 Aug 2024 16:13:41 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZuuT-001aZG-Au for pgsql-hackers@lists.postgresql.org; Fri, 02 Aug 2024 16:13:41 +0000 Received: from mail-yb1-xb33.google.com ([2607:f8b0:4864:20::b33]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sZuuM-002naw-Hw for pgsql-hackers@lists.postgresql.org; Fri, 02 Aug 2024 16:13:40 +0000 Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-e0b9d344d66so4526186276.1 for ; Fri, 02 Aug 2024 09:13:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joeconway.com; s=google; t=1722615212; x=1723220012; darn=lists.postgresql.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=4JLk6wDzXWkuJCETN6Ou44EQynq9GLzGM/B40UBYjiw=; b=d+fVGXP5H0VZ+/z05nhKFH6aLciaYRfiUK7mPL4nWo67OQvUqtw5cSZryzTqO8HVZd mPrDXKs4gJdFxLeM3JiYmsuFw2fxC8UjiGctnmHYudmHQCLrePIkTEY6UIUFS3UD906S S34bb5nJNaj2FMUL/LWMKmHsKCyQvufDiDyLUKiPCzJEEwgtU3FSn+8drybuOuTk/D29 xKhQu1ab9g/dMoQFFy/AXJNItJoWSUQ2mHOxz7iByKePfnTwJ/+ler0K0pFkBvt4LYQY BxEAZqV9xbxiEHPofgBCNlIidoue8dnHuKZ5gS4nFfW/aR79LHVat9un7vQh3rOOzRaT NgeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722615212; x=1723220012; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4JLk6wDzXWkuJCETN6Ou44EQynq9GLzGM/B40UBYjiw=; b=RNTRYgmFS8QQM490gcEb5b7SmZRHytUkQYybJADIj0fMpR8EXkIiGNXo9YNKAPfg/L zk8NebVaMjUfc/AG7JXqTNwmujCLQtmqArnZ1R3YMDZ/7t502FyzhRyfHPF0kplIs7hi 3K0hVmVF7U4Tzp6XTVZ/zP4vGxktyy5jUAhkxu4FIZChg9/r1bO84Etp9uz/MMm8AMJk OnFatgDNe+yoBkdgCzTaKzdxqsBQTjXw7M4VckHVw8dO9gAbi7qbwwYFZqRcMLP4CZ20 Uk/B7NiTCzup+JdKTmTmv+RsYEujbNXYR2HK8rWc6MLQealxgwJZSVALWXiy/HE6RXI3 bcKQ== X-Forwarded-Encrypted: i=1; AJvYcCW6BpoQ1fEFD5oF/Bxqf1fM2xAyK7ET4jJHs6M08Ukpw7chOMrMtElrQflDjx1ss3rqOWMqQIy2/XwidWENsKLwzXmEahpntjhCvC8m5RTuMVOk X-Gm-Message-State: AOJu0YypiIcw+wZyjiCD0yQaStC7AWXtSPYwu6TZs3biRy0DjfB2VRYj oH4AwIkWePzioTOgk2/ebk4+0iotZRFG4boAbGAhGSeWLdUGuhsaVpfmdH1BozY= X-Google-Smtp-Source: AGHT+IF4+REngWp7RcisXyXIaVpSkKGKLyYTYxbWMjBOalQ9r+KfxDYSLDMqKfH9UzeqR1XCY/CD9Q== X-Received: by 2002:a05:6902:1443:b0:e0b:bd79:3084 with SMTP id 3f1490d57ef6-e0bde1f6debmr4697548276.8.1722615212446; Fri, 02 Aug 2024 09:13:32 -0700 (PDT) Received: from [192.168.4.41] (162-239-31-113.lightspeed.dybhfl.sbcglobal.net. [162.239.31.113]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e0be5568c51sm249566276.43.2024.08.02.09.13.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 02 Aug 2024 09:13:32 -0700 (PDT) Message-ID: <06cc6dcf-37c2-44d6-9232-a82a858be289@joeconway.com> Date: Fri, 2 Aug 2024 12:13:31 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: can we mark upper/lower/textlike functions leakproof? To: Tom Lane Cc: Jacob Champion , Robert Haas , Andrew Dunstan , David Rowley , PostgreSQL Hackers References: <50d3a76e-afaa-44ed-aef5-6fb7f23cccab@dunslane.net> <5bef8bb0-7a50-4bcf-b052-2a12c3cda0f5@joeconway.com> <3416373.1722449026@sss.pgh.pa.us> <3973586.1722611275@sss.pgh.pa.us> Content-Language: en-US From: Joe Conway Autocrypt: addr=mail@joeconway.com; keydata= xsFNBEpXMCsBEADDnXUQzjlyi/cX02Gtdy2CLcroE5CsC7DJKdOBDbfgn0kfiIYoV5JniG4l VyzZUodY8yUAagqLYolh0UkBzs9N+qkm7erde4ypw3jzVQ37BuzIvk3nMUbuDZDgxWqX+nVS sKc+BQ5BpzgCHg48leoRO2ohjvYnUhgH3j2rFZCzaj6qQ7mv+XoxOJmUlVQtG06Jwkk7Vu14 7U9nMMM6hyUKzVnmCphnlcMNo26UyVU70MwFfFJgcI0c5fpp8byN56eD6VJVnufO5WAuEhzE qcrSJR2FAlmM90GBY+6vP29twLDCHuSFvrnujNCx/BvCC/a3/gPvyAFp4JtMm9eXAmq3m/Kw 94nTJXVdcbQeQQDp3KIG7MmWS4lnGvPn8v0CjgNaLvZXFLo1FgmUVsyEq1Lww4iRLa6sbpXJ ESx15UEue1k1YZM9C+4F/o3aeKNsAienjw2EXFzcaxIg/C4P493VMi3Qa8ycVxR5iYhUbYdo DFIUQhbFNsYfrtW/qZAELT3FCYFpZYG01e9Hj+cBrXXgyDDkQ5Lq4mlvmkRvuxn61V6Au4HA 0sJiCox5pM1FvzT+aI8HY1BYaiB9Pl4fhpKgmhhlSuglk9v39S4jmlUIb45iLAUVpeNM6Qjm 69pf5da9sm4aGFa7YlDSKf/WcU7z9ITZxsilOi2n7YJiwG7kTQARAQABzSRKb3NlcGggRSBD b253YXkgPG1haWxAam9lY29ud2F5LmNvbT7CwXoEEwEIACQCGwMCHgECF4AFCwkIBwMFFQoJ CAsFFgIDAQAFAlWTVvUCGQEACgkQMyt+aLaZQ0oPCQ/9HyRewMyvAIJRmoXoLAr8AoFLId6R qBJnNX0Lll0RLZui65aQ0+exwX7aH7TxWR16B2gWX3OmLfGT8XITOoG+zt9zsEpLvNkHchkF T/jyAcbuRj5WX9hamZgMbjXAJeCdlhW+fRA9Upb0w4dgBjqK5OgsqMikASL7t2vogHl9H08j vSoQLW+8wTnSBXBeBTBwB7xLIin5WVivzFHUCrnD2UsjeBIW3fmGdpTAjSxRzG+UPYVwXQ8F FLt7DpEytvLWapmZWMRdj0WZ/Q3SOO/Ed0yFqbzuwKaWcFrQBNeS2Sig+FefBNS98f9Hx7ku H3DW34qX/zSSdDh0jLs7X3PkIgF6BZR2TxaCwHPP9ERDiDaUInC9U7We1iZE1DjW8rLMEVJB hY0ClrrF67pnUKTbcU+uajpPn+2Jl74T0Set/XxpHZ4cezcJuqg31R8vHZgd5cf1WKP0D0pc qiuS02BBFkNCs1jQ+raTWcDuE6F1mUO2nvjUBN9r4y5DUbCNSqLKeAe/aA6JaSDkBpoXKdNS +c4rbzbktWkfUW8EhVlCGzNpy4ezEoVsqV2Ex7fNoxsE2vnSylLT9hycAmYf8ryMvniRZqnD T4JgLenIcQlkhB896T7wApOXfD8OJj1/XFxAfPi6vdlsr81uoxuB4euLp8IyduwLORRUogO9 zmAXG5jOwU0ESlcyJwEQAOkTBb9yDhJbMUgvhM11rZwT5tm4Y9TqtEHn0Zy3t9g7bdFFpMva v/KENd3oAtLFpMDf+H3AggFk4ftUwJwiVgJ88ilvCynJUGXiuYIaexY4DLgn4xpnuiEpYEFV dWnlw7dWVTc62exfqIz9bSWRzwfBCY9ruYGEb4RDPDSNSAVyI7sxHzef2asiYxIcxrTrw5Vu gWNlPZcV5/EJ6PUvATjBF2TBkXV7KOciQng2tsQGrGMkY5mduNqwpuh6zfPcVF8LeObe96wv 5ZhPRpO79nef7hnK2lJogp3JIo558Jlbz9WHtQEMZR85+bUhtI825QyNAFz3Jrn7NMgvDikc 2OrWo7YMgMC5hDSWVFqA6/EQCNnDWGABWgeYHZFpnPwsvUWIYdhSilUuj/Tuzvz9ZmucFNbQ bauDQw6VQ38ofGnoYDZFJsGncprB8dBi4tDrIQ+1RlIh6C2Z/eMipqJOT26+spluTjouvnKT 0S5yOgyX0PjbsysgwQdCGNJLHOjhHbSpSmOLaduV3CQo/0+DHT/TBjYfIXjTWouY9TkGxG4e NrxU0u2xAy5bMqOPmsFdjLTWlQUlF/fTMhB54XwI3FHWgnSnXZzStDTmTebLNdT/ftgliAzA 81uMj49j0exv731/v+7udLA1bV8gnZ01zQCASDpWiRQR3fgwcugSUqgRABEBAAHCwV8EGAEI AAkFAkpXMicCGwwACgkQMyt+aLaZQ0pwAQ//bjcWnZg/jjRQ9gbZUGMqniItZYRglBMKIqt4 Fia379JmHwTvavnFkJ8XMZ56UB0FIrgS+sUkRH6cPRQR+7Qi392LD021DXgSsz9CwFHjFyBG HwLEOTRcfYQbtJy0shHDJB4aQTOX3ERDH1PsvJNuevmQMzS0DWFav9+xMz9rKP4N+HffoBIZ E0C1xIE43nD4eLsbycte9sVIrmlNuUti3qUxJAQw8HwfJ6ZbBInHxquApR16uD1u99o6Xlnd FrDlY22tRmHCM0bR81GfGNdcU3Uo+rG/R/k4qa7s9/dgKvMbyH3fHhp/ceKag80Xo8IFurRl 0ZJP3sHJ2QDHCVLat7jRZ+43hi1WlIhFbrgn6IyI0i7XR/W8JjrC5MsKq4TUwGH077sU/kcH YebVJZRbUUst2hAGHDFVBcG12qoKf+ltL9qXJc1y7BGeCoUW6QjOpljpq6ZL4FQUsM0RSRjs 5egE3szPcIf5SyPK6WDOApoAq6M7BBFMGDZwEylYMtr0YekA1u86UA9D2xwLHEbBBp/uiby1 c9JbPJ1Pn8zJP8WZNeRw4Q9TtqVK09+oLirMUSpIDd6KdZ1VgRxOK2re7tjDvkVuYsSrsiJ+ 1iJNEnp9iK0ok0DlJpSCe6KhkxpaTdeoWMXdKuJWec0NIqoAd54ZgBPnr+UPxTixgPq/p6Q= In-Reply-To: <3973586.1722611275@sss.pgh.pa.us> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 8/2/24 11:07, Tom Lane wrote: > Joe Conway writes: >> >> Hmmm, and then have "leakproof_mode" = strict/lax/off where 'strict' is >> current behavior, 'lax' allows the 'maybe's to get pushed down, and >> 'off' ignores the leakproof attribute entirely and pushes down anything >> that merits being pushed? >> > > So in other words, we might as well just remove RLS. Perhaps deciding where to draw the line for 'maybe' is too hard, but I don't understand how you can say that in a general sense. 'strict' mode would provide the same guarantees as today. And even 'off' has utility for cases where (1) no logins are allowed except for the app (which is quite common in production environments) and no database errors are propagated to the end client (again pretty standard best practice); or (2) non-production environments, e.g. for testing or debugging; or (3) use cases that utilize RLS as a notationally convenient filtering mechanism and are not bothered by some leakage in the worst case. -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com