| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Jelte Fennema-Nio <me(at)jeltef(dot)nl> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Extension security improvement: Add support for extensions with an owned schema |
| Date: | 2024-06-19 17:55:44 |
| Message-ID: | 139657.1718819744@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Jelte Fennema-Nio <me(at)jeltef(dot)nl> writes:
> On Wed, 19 Jun 2024 at 17:28, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>> I have a feeling that this might be pretty annoying to implement, and
>> if that is true, then never mind.
> Based on a quick look it's not trivial, but also not super bad.
> Basically it seems like in src/backend/catalog/namespace.c, every time
> we loop over activeSearchPath and CurrentExtensionObject is set, then
> we should skip any item that's not stored in pg_catalog, unless
> there's a DEPENDENCY_EXTENSION pg_depend entry for the item (and that
> pg_depend entry references the extension or the requires list).
We could change the lookup rules that apply during execution of
an extension script, but we already restrict search_path at that
time so I'm not sure how much further this'd move the goalposts.
The *real* problem IMO is that if you create a PL function or
(old-style) SQL function within an extension, execution of that
function is not similarly protected.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2024-06-19 18:06:59 | Re: Maybe don't process multi xmax in FreezeMultiXactId() if it is already marked as invalid? |
| Previous Message | Jelte Fennema-Nio | 2024-06-19 17:50:09 | Re: Extension security improvement: Add support for extensions with an owned schema |