Home > mailing lists

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

From	Jeff Davis
Subject	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date	July 16 02:28:02
Msg-id	c6312d610b65b2cc6d68adceb6df0a5050fb07b9.camel@j-davis.com Whole thread Raw
In response to	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions (Robert Haas <robertmhaas@gmail.com>)
List	pgsql-hackers

Tree view

On Mon, 2024-07-15 at 16:04 -0400, Robert Haas wrote:
> Oh, I had the opposite idea: I wasn't proposing ignoring it. I was
> proposing making it work.

I meant: ignore $extension_schema if the search_path has nothing to do
with an extension. In other words, if it's in a search_path for the
session, or on a function that's not part of an extension.

On re-reading, I see that you mean it should work if they explicitly
set it as a part of a function that *is* part of an extension. And I
agree with that -- just make it work.

Regards,
    Jeff Davis

pgsql-hackers by date:

From: Andres Freund
Date: 16 July, 01:48:37
Subject: Re: CI, macports, darwin version problems

From: Joseph Koshakow
Date: 16 July, 02:55:22
Subject: Re: Remove dependence on integer wrapping

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions - Mailing list pgsql-hackers

Previous

Next