Home > mailing lists

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

From	Isaac Morland
Subject	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date	June 6 21:09:55
Msg-id	CAMsGm5cThueMPSKugXw6bLu0sgJNz1R0EOfhZW1-kytUZxFH_w@mail.gmail.com Whole thread Raw
In response to	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions (Jeff Davis <pgsql@j-davis.com>)
Responses	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
List	pgsql-hackers

Tree view

On Thu, 6 Jun 2024 at 12:53, Jeff Davis <pgsql@j-davis.com> wrote:

> I didn't get you completely here. w.r.t extensions how will this have
> an impact if we set the search_path for definer functions.

If we only set the search path for SECURITY DEFINER functions, I don't
think that solves the whole problem.

Indeed. While the ability for a caller to set the search_path for a security definer functions introduces security problems that are different than for security invoker functions, it's still weird for the behaviour of a function to depend on the caller's search_path. It’s even weirder for the default search path behaviour to be different depending on whether or not the function is security definer.

pgsql-hackers by date:

From: Jeff Davis
Date: 06 June, 19:53:19
Subject: Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

From: Tom Lane
Date: 06 June, 21:12:37
Subject: Re: question regarding policy for patches to out-of-support branches

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

Previous

Next