Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

From Jeff Davis
Subject Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date
Msg-id 61c1455b17cd0e67e087cb09e55c45d8852a1ede.camel@j-davis.com
Whole thread Raw
In response to Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions  (Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>)
List pgsql-hackers
On Wed, 2024-06-12 at 12:13 +0530, Ashutosh Bapat wrote:
> > Alternatively, we could leverage the extension dependency
> > information
> > to determine whether the function is created by an extension or
> > not.
>
> That will be simpler. We do that sort of thing for identity
> sequences. So there's a precedent to do that kind of stuff. 

I did not look at the details, but +1 for using information we already
have. There's a little bit of extra work to resolve it, but thanks to
the search_path cache it should only need to be done once per unique
search_path setting per session.

Regards,
    Jeff Davis




pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: Improve the granularity of PQsocketPoll's timeout parameter?
Next
From: Robert Haas
Date:
Subject: Re: On disable_cost