Re: Fixing insecure security definer functions

Stephen, Tom,

> > Eeek. *Which* caller's search_path? The string you're handed
> > might've come from multiple levels up.
>
> I would say the outer-most. If people inbetween want to mess with
> things, let them qualify it before handing it down. Clearly, an
> already-qualified object would be left alone.

Based on further IRC, I can personally see a solution which would be
generally useful. Further, this solution doesn't require (or shouldn't)
any modification of the existing function_path solution. It just requires
two functions, which could be developed now or later:

1) pg_get_caller_path() == returns the search_path of the calling session,
which presumably is being stored somewhere for reversion when the final
nested function exits.

2) pg_get_object_fullname(name, path) == returns the fully-qualified object
name of an object based on the path supplied.

In addition to Stephen's peculiar application, I can see these functions
being useful for a variety of applications which might mix path-set
functions with pathless functions, or which use hundreds of schema to
isolate user objects.

However, I don't see this as being anything which would hold up 8.3, since
function_path doesn't break anything which was already working.

--
--Josh

Josh Berkus
PostgreSQL @ Sun
San Francisco