Home > mailing lists

Re: Security Definer functions no longer works in PG14+ - Mailing list pgsql-bugs

From	Andrew Borodin
Subject	Re: Security Definer functions no longer works in PG14+
Date	May 6, 2022 09:21:11
Msg-id	CAAhFRxg4c7Z=mmwKy9PRcmfrN5_t5+nNeZztevATrUa7aaVhuw@mail.gmail.com Whole thread Raw
In response to	Re: Security Definer functions no longer works in PG14+ (Jan Katins <jasc@gmx.net>)
Responses	Re: Security Definer functions no longer works in PG14+
List	pgsql-bugs

Tree view

On Thu, May 5, 2022 at 11:32 PM Jan Katins <jasc@gmx.net> wrote:
>
> The aiven-extras repo has a workaround for that, using dblink:
https://github.com/aiven/aiven-extras/commit/eb8c1107ca91a7da5ecb0c8127c94ce42762881d

> SECURITY DEFINER
> pg_catalog.format('ALTER SUBSCRIPTION %I REFRESH PUBLICATION WITH (copy_data=%s)', arg_subscription_name,
arg_copy_data::TEXT)

Doesn't this constitute Bobby-tables SQL injection?

Best regards, Andrey Borodin.

pgsql-bugs by date:

From: Jobin Augustine
Date: 06 May 2022, 08:37:28
Subject: Re: Security Definer functions no longer works in PG14+

From: "David G. Johnston"
Date: 06 May 2022, 09:32:38
Subject: Re: Security Definer functions no longer works in PG14+

Re: Security Definer functions no longer works in PG14+ - Mailing list pgsql-bugs

Previous

Next