Home > mailing lists

pgsql: Document search_path security with untrusted dbowner or CREATERO - Mailing list pgsql-committers

From	Noah Misch
Subject	pgsql: Document search_path security with untrusted dbowner or CREATERO
Date	December 8, 2019 22:11:33
Msg-id	E1ie1xt-0006j8-7t@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Document search_path security with untrusted dbowner or CREATEROLE.

Commit 5770172cb0c9df9e6ce27c507b449557e5b45124 wrote, incorrectly, that
certain schema usage patterns are secure against CREATEROLE users and
database owners.  When an untrusted user is the database owner or holds
CREATEROLE privilege, a query is secure only if its session started with
SELECT pg_catalog.set_config('search_path', '', false) or equivalent.
Back-patch to 9.4 (all supported versions).

Discussion: https://postgr.es/m/20191013013512.GC4131753@rfd.leadboat.com

Branch
------
REL9_4_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/08395e592cbc540bdf111ab4a27e01a375983e23

Modified Files
--------------
doc/src/sgml/ddl.sgml | 80 +++++++++++++++++++++++++--------------------------
1 file changed, 40 insertions(+), 40 deletions(-)

pgsql-committers by date:

From: Tom Lane
Date: 08 December 2019, 18:36:43
Subject: pgsql: Doc: improve documentation about run-time pruning's effects on E

From: Amit Kapila
Date: 09 December 2019, 06:46:01
Subject: pgsql: Fix typos in miscinit.c.

pgsql: Document search_path security with untrusted dbowner or CREATERO - Mailing list pgsql-committers

Previous

Next