| From: | David Fetter <david(at)fetter(dot)org> |
|---|---|
| To: | PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Schema-qualify function calls in information_schema |
| Date: | 2017-12-20 17:21:22 |
| Message-ID: | 20171220172122.GF10102@fetter.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Folks,
It's possible to arrange for schemas to precede pg_catalog and
information_schema in a search_path setting, and when that's done,
hilarity can ensue, especially when someone has created functions with
identical signatures but non-identical behavior. People who do that
should probably be presumed to be attackers, but it's conceivable that
such hilarity could merely be poor judgement combined with buggy code.
Please find attached a patch against master to do $Subject, which
tones down the hilarity, at least in information_schema. I did not
attempt to go through and make sure that functions calls are
schema-qualified all through the back-end, but that seems like a
worthwhile project on grounds of reducing the search_path attack
surface.
Another way to fix this, which I know will be controversial, is simply
to mandate that pg_catalog (and possibly information_schema) be
non-changeably first in the search_path.
What say?
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Schema-qualified-function-calls.patch | text/x-diff | 29.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | neto brpr | 2017-12-20 17:29:37 | Cost Model |
| Previous Message | Tom Lane | 2017-12-20 17:12:48 | Re: Letting plpgsql in on the fun with the new expression eval stuff |