Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

From Ashutosh Sharma
Subject Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date
Msg-id CAE9k0PkBMY6AXLgC4SdvSKNX5+RJZ3FRAhh1q9+VLPnN56eXZw@mail.gmail.com
Whole thread Raw
In response to Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions  (Jelte Fennema-Nio <postgres@jeltef.nl>)
Responses Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
List pgsql-hackers
Hi,

On Tue, Jun 11, 2024 at 5:02 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote:
>
> On Tue, 11 Jun 2024 at 11:54, Ashutosh Sharma <ashu.coek88@gmail.com> wrote:
> > 1) Extends the CREATE EXTENSION command to support a new option, SET
> > SEARCH_PATH.
>
>
> I don't think it makes sense to add such an option to CREATE EXTENSION.
> I feel like such a thing should be part of the extension control file
> instead. That way the extension author controls the search path, not
> the person that installs the extension.

If the author has configured the search_path for any desired function,
using this option with the CREATE EXTENSION command will not affect
those functions.

--
With Regards,
Ashutosh Sharma.



pgsql-hackers by date:

Previous
From: David Rowley
Date:
Subject: Re: Speed up JSON escape processing with SIMD plus other optimisations
Next
From: Alexander Kukushkin
Date:
Subject: Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions