Home > mailing lists

Re: PCI:SSF - Safe SQL Query & operators filter - Mailing list pgsql-general

From	Christophe Pettus
Subject	Re: PCI:SSF - Safe SQL Query & operators filter
Date	November 8, 2022 04:29:44
Msg-id	23C450AB-9333-40CB-8ED1-F15D15BED878@thebuild.com Whole thread Raw
In response to	PCI:SSF - Safe SQL Query & operators filter (Jan Bilek <jan.bilek@eftlab.com.au>)
Responses	Re: PCI:SSF - Safe SQL Query & operators filter (Jan Bilek <jan.bilek@eftlab.com.au>)
List	pgsql-general

Tree view

> On Nov 7, 2022, at 17:24, Jan Bilek <jan.bilek@eftlab.com.au> wrote:
> Would there be any way to go around this?

The typical configuration is to not permit the PostgreSQL superuser to log in remotely.  The database can be managed by
adifferent, non-superuser role, including schema migrations. 

> CREATE OR REPLACE LANGUAGE plpython3u;
> HINT:  Must be superuser to create this extension.

The reason only a superuser can create this extension is the "u" at the end of the name: It is an untrusted PL that can
bypassPostgreSQL's role system.  If anyone could create functions in it, anyone could bypass roles.

pgsql-general by date:

From: Jan Bilek
Date: 08 November 2022, 04:24:49
Subject: PCI:SSF - Safe SQL Query & operators filter

From: Jan Bilek
Date: 08 November 2022, 04:43:02
Subject: Re: PCI:SSF - Safe SQL Query & operators filter

Re: PCI:SSF - Safe SQL Query & operators filter - Mailing list pgsql-general

Previous

Next