Re: Security Definer functions no longer works in PG14+ - Mailing list pgsql-bugs

From Andrew Borodin
Subject Re: Security Definer functions no longer works in PG14+
Date
Msg-id CAAhFRxg4c7Z=mmwKy9PRcmfrN5_t5+nNeZztevATrUa7aaVhuw@mail.gmail.com
Whole thread Raw
In response to Re: Security Definer functions no longer works in PG14+  (Jan Katins <jasc@gmx.net>)
Responses Re: Security Definer functions no longer works in PG14+
List pgsql-bugs
On Thu, May 5, 2022 at 11:32 PM Jan Katins <jasc@gmx.net> wrote:
>
> The aiven-extras repo has a workaround for that, using dblink:
https://github.com/aiven/aiven-extras/commit/eb8c1107ca91a7da5ecb0c8127c94ce42762881d

> SECURITY DEFINER
> pg_catalog.format('ALTER SUBSCRIPTION %I REFRESH PUBLICATION WITH (copy_data=%s)', arg_subscription_name,
arg_copy_data::TEXT)

Doesn't this constitute Bobby-tables SQL injection?

Best regards, Andrey Borodin.



pgsql-bugs by date:

Previous
From: Jobin Augustine
Date:
Subject: Re: Security Definer functions no longer works in PG14+
Next
From: "David G. Johnston"
Date:
Subject: Re: Security Definer functions no longer works in PG14+