Home > mailing lists

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

From	Ashutosh Sharma
Subject	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date	June 13 06:09:37
Msg-id	CAE9k0P=v8y+EbSyFQJ1GbeyxM7wL14GPiqs-uVBcx8nY3X82DQ@mail.gmail.com Whole thread Raw
In response to	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions (John H <johnhyvr@gmail.com>)
Responses	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
List	pgsql-hackers

Tree view

Hi,

On Wed, Jun 12, 2024 at 11:35 PM John H <johnhyvr@gmail.com> wrote:
>
> > But, I also agree with Jelte, it should be a property of a control file, rather than a user controlled parameter,
sothat an attacker can't opt out. 
>

This will be addressed in the next patch version.

> +1. Also curious what happens if an extension author has search_path
> already set in proconfig for a function that doesn't match what's in
> the control file. I'm guessing the function one should take
> precedence.
>

Yes, if the author has explicitly set the proconfig, it will take precedence.

--
With Regards,
Ashutosh Sharma.

pgsql-hackers by date:

From: Peter Geoghegan
Date: 13 June, 05:04:04
Subject: Re: Harmonizing pg_bsd_indent parameter names

From: Andrei Lepikhov
Date: 13 June, 06:45:38
Subject: Re: Removing unneeded self joins

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

Previous

Next