Quick Links

Re: PCI:SSF - Safe SQL Query & operators filter

From:	Christophe Pettus <xof(at)thebuild(dot)com>
To:	Jan Bilek <jan(dot)bilek(at)eftlab(dot)com(dot)au>
Cc:	"pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org>
Subject:	Re: PCI:SSF - Safe SQL Query & operators filter
Date:	2022-11-08 01:29:44
Message-ID:	23C450AB-9333-40CB-8ED1-F15D15BED878@thebuild.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

> On Nov 7, 2022, at 17:24, Jan Bilek <jan(dot)bilek(at)eftlab(dot)com(dot)au> wrote:
> Would there be any way to go around this?

The typical configuration is to not permit the PostgreSQL superuser to log in remotely. The database can be managed by a different, non-superuser role, including schema migrations.

> CREATE OR REPLACE LANGUAGE plpython3u;
> HINT: Must be superuser to create this extension.

The reason only a superuser can create this extension is the "u" at the end of the name: It is an untrusted PL that can bypass PostgreSQL's role system. If anyone could create functions in it, anyone could bypass roles.

In response to

PCI:SSF - Safe SQL Query & operators filter at 2022-11-08 01:24:49 from Jan Bilek

Responses

Re: PCI:SSF - Safe SQL Query & operators filter at 2022-11-08 01:43:02 from Jan Bilek

Browse pgsql-general by date

	From	Date	Subject
Next Message	Jan Bilek	2022-11-08 01:43:02	Re: PCI:SSF - Safe SQL Query & operators filter
Previous Message	Jan Bilek	2022-11-08 01:24:49	PCI:SSF - Safe SQL Query & operators filter