Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

From Jeff Davis
Subject Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date
Msg-id 7334cc6cde2ffae35a440159c003c34f7c561790.camel@j-davis.com
Whole thread Raw
In response to Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions  (Alexander Kukushkin <cyberdemn@gmail.com>)
List pgsql-hackers
On Tue, 2024-06-11 at 14:56 +0200, Alexander Kukushkin wrote:
> Now attackers can just set search_path for the current session.

IIUC, the proposal is that only the function's "SET" clause can
override the behavior, not a top-level SET command.

Regards,
    Jeff Davis




pgsql-hackers by date:

Previous
From: "Imseih (AWS), Sami"
Date:
Subject: Re: Track the amount of time waiting due to cost_delay
Next
From: Jeff Davis
Date:
Subject: Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions