Home > mailing lists

pgsql: Document search_path security with untrusted dbowner or CREATERO - Mailing list pgsql-committers

From	Noah Misch
Subject	pgsql: Document search_path security with untrusted dbowner or CREATERO
Date	December 8, 2019 22:11:33
Msg-id	E1ie1xt-0006j6-6q@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Document search_path security with untrusted dbowner or CREATEROLE.

Commit 5770172cb0c9df9e6ce27c507b449557e5b45124 wrote, incorrectly, that
certain schema usage patterns are secure against CREATEROLE users and
database owners.  When an untrusted user is the database owner or holds
CREATEROLE privilege, a query is secure only if its session started with
SELECT pg_catalog.set_config('search_path', '', false) or equivalent.
Back-patch to 9.4 (all supported versions).

Discussion: https://postgr.es/m/20191013013512.GC4131753@rfd.leadboat.com

Branch
------
REL9_5_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/3056258149c1aea7341a4d81bd502e1a1c8198a6

Modified Files
--------------
doc/src/sgml/ddl.sgml | 80 +++++++++++++++++++++++++--------------------------
1 file changed, 40 insertions(+), 40 deletions(-)

pgsql-committers by date:

From: Tom Lane
Date: 08 December 2019, 18:36:43
Subject: pgsql: Doc: improve documentation about run-time pruning's effects on E

From: Amit Kapila
Date: 09 December 2019, 06:46:01
Subject: pgsql: Fix typos in miscinit.c.

pgsql: Document search_path security with untrusted dbowner or CREATERO - Mailing list pgsql-committers

Previous

Next