Home > mailing lists

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

From	Jeff Davis
Subject	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date	June 12 00:37:11
Msg-id	435ba8595b017e0788d1f34f2f5dd9e4655ccd76.camel@j-davis.com Whole thread Raw
In response to	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions (Ashutosh Sharma <ashu.coek88@gmail.com>)
Responses	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
List	pgsql-hackers

Tree view

On Tue, 2024-06-11 at 15:24 +0530, Ashutosh Sharma wrote:
> 3) When the ALTER EXTENSION SET SCHEMA command is executed and if the
> function's search_path contains the old schema of the extension, it
> is
> updated with the new schema.

I don't think it's reasonable to search-and-replace within a function's
SET clause at ALTER time.

I believe we need a new special search_path item, like
"$extension_schema", to mean the schema of the extension owning the
function. It would, like "$user", automatically adjust to the current
value when changed.

That sounds like a useful and non-controversial change.

Regards,
    Jeff Davis

pgsql-hackers by date:

From: Jeff Davis
Date: 12 June, 00:31:39
Subject: Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

From: Michael Paquier
Date: 12 June, 01:52:19
Subject: Re: Doc: fix a description regarding WAL summarizer on glossary page

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

Previous

Next