Home > mailing lists

"$user" and SESSION_USER and CURRENT_USER - Mailing list pgsql-docs

From	antonov@stdpr.ru
Subject	"$user" and SESSION_USER and CURRENT_USER
Date	December 20, 2018 18:38:26
Msg-id	159151fb45d490c8d31ea9707e9ba99d@stdpr.ru Whole thread Raw
Responses	Re: "$user" and SESSION_USER and CURRENT_USER (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-docs

Tree view

hi,

sorry for my message. I'm tiny confused about the next one. could you 
help me?:

here -- https://www.postgresql.org/docs/11/runtime-config-client.html

there is the text """If one of the list items is the special name $user, 
then the schema having the name returned by SESSION_USER is substituted, 
if there is such a schema and the user has USAGE permission for it. (If 
not, $user is ignored.)""".

but actualy "$user" substitutes CURRENT_USER-value (not 
SESSION_USER-value).

it's good because it would be a SECURITY VULNERABILITY if "$user" 
substituted SESSION_USER-value (in conjunction with security definer 
functions).

in case of CURRENT_USER-value we have no the vulnerable. which is good 
:-)

but is there error in documentation text (runtime-config-client.html) , 
isn't?

thank you in advance.

pgsql-docs by date:

From: PG Doc comments form
Date: 19 December 2018, 22:52:57
Subject: Need clarification on how to extract or compare numeric valuesenclosed in jsonb

From: Tom Lane
Date: 20 December 2018, 21:42:32
Subject: Re: "$user" and SESSION_USER and CURRENT_USER

"$user" and SESSION_USER and CURRENT_USER - Mailing list pgsql-docs

Previous

Next