Home > mailing lists

pgsql: Document search_path security with untrusted dbowner or CREATERO - Mailing list pgsql-committers

From	Noah Misch
Subject	pgsql: Document search_path security with untrusted dbowner or CREATERO
Date	December 8, 2019 22:11:33
Msg-id	E1ie1xt-0006iw-2O@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Document search_path security with untrusted dbowner or CREATEROLE.

Commit 5770172cb0c9df9e6ce27c507b449557e5b45124 wrote, incorrectly, that
certain schema usage patterns are secure against CREATEROLE users and
database owners.  When an untrusted user is the database owner or holds
CREATEROLE privilege, a query is secure only if its session started with
SELECT pg_catalog.set_config('search_path', '', false) or equivalent.
Back-patch to 9.4 (all supported versions).

Discussion: https://postgr.es/m/20191013013512.GC4131753@rfd.leadboat.com

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/fd5e16e782fc6cd829b27e2c83c623b8020e5774

Modified Files
--------------
doc/src/sgml/ddl.sgml | 80 +++++++++++++++++++++++++--------------------------
1 file changed, 40 insertions(+), 40 deletions(-)

pgsql-committers by date:

From: Tom Lane
Date: 08 December 2019, 18:36:43
Subject: pgsql: Doc: improve documentation about run-time pruning's effects on E

From: Amit Kapila
Date: 09 December 2019, 06:46:01
Subject: pgsql: Fix typos in miscinit.c.

pgsql: Document search_path security with untrusted dbowner or CREATERO - Mailing list pgsql-committers

Previous

Next