Home > mailing lists

Re: Security Definer functions no longer works in PG14+ - Mailing list pgsql-bugs

From	David G. Johnston
Subject	Re: Security Definer functions no longer works in PG14+
Date	May 6, 2022 09:32:38
Msg-id	CAKFQuwbuYz3wg2a8nyVZB+3aASDZu=sL=MXpBaVAHS_8pZ=HXg@mail.gmail.com Whole thread Raw
In response to	Re: Security Definer functions no longer works in PG14+ (Andrew Borodin <amborodin86@gmail.com>)
Responses	Re: Security Definer functions no longer works in PG14+
List	pgsql-bugs

Tree view

On Thursday, May 5, 2022, Andrew Borodin <amborodin86@gmail.com> wrote:

On Thu, May 5, 2022 at 11:32 PM Jan Katins <jasc@gmx.net> wrote:
>
> The aiven-extras repo has a workaround for that, using dblink: https://github.com/aiven/aiven-extras/commit/eb8c1107ca91a7da5ecb0c8127c94ce42762881d

> SECURITY DEFINER
> pg_catalog.format('ALTER SUBSCRIPTION %I REFRESH PUBLICATION WITH (copy_data=%s)', arg_subscription_name, arg_copy_data::TEXT)

Doesn't this constitute Bobby-tables SQL injection?

How do you suppose the caller of the function gets the passed in boolean, when cast to text, to print anything other than “t” or “f” (null might bork things but still not unsafe)?

The %I handles the name.

David J.

pgsql-bugs by date:

From: Andrew Borodin
Date: 06 May 2022, 09:21:11
Subject: Re: Security Definer functions no longer works in PG14+

From: Andrew Borodin
Date: 06 May 2022, 09:51:40
Subject: Re: Security Definer functions no longer works in PG14+

Re: Security Definer functions no longer works in PG14+ - Mailing list pgsql-bugs

Previous

Next