Home > mailing lists

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

From	Ashutosh Sharma
Subject	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date	June 11 16:27:16
Msg-id	CAE9k0PmdPkGLvjR9zzgH4FqAVjV6rm0jOrUNi5cHsQOoutBW4A@mail.gmail.com Whole thread Raw
In response to	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions (Alexander Kukushkin <cyberdemn@gmail.com>)
Responses	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
List	pgsql-hackers

Tree view

Hi Alexander,

On Tue, Jun 11, 2024 at 6:26 PM Alexander Kukushkin <cyberdemn@gmail.com> wrote:
>
> Hi,
>
> On Tue, 11 Jun 2024 at 14:50, Ashutosh Sharma <ashu.coek88@gmail.com> wrote:
>>
>> If the author has configured the search_path for any desired function,
>> using this option with the CREATE EXTENSION command will not affect
>> those functions.
>
>
> Then effectively this feature is useless.
> Now attackers can just set search_path for the current session.
> With this feature they will also be able to influence search_path of not protected functions when they create an
extension.
>

Apologies for any confusion, but I'm not entirely following your
explanation. Could you kindly provide further clarification?
Additionally, would you mind reviewing the problem description
outlined in the initial email?

--
With Regards,
Ashutosh Sharma.

pgsql-hackers by date:

From: Ranier Vilela
Date: 11 June, 16:01:25
Subject: Re: Improve the granularity of PQsocketPoll's timeout parameter?

From: Joseph Koshakow
Date: 11 June, 16:31:39
Subject: Re: Remove dependence on integer wrapping

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

Previous

Next