tsvector_update_trigger() is utterly insecure

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-hackers(at)postgreSQL(dot)org, Oleg Bartunov <oleg(at)sai(dot)msu(dot)su>, Teodor Sigaev <teodor(at)sigaev(dot)ru>
Subject: tsvector_update_trigger() is utterly insecure
Date: 2007-08-17 01:17:02
Message-ID: 25512.1187313422@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

We can't put tsvector_update_trigger() into core in anything like its
current form. As is, it will take an unqualified function name, look
it up, and call it. The prospects for subversion by search path
manipulation are obvious, and even if you aren't concerned about
malicious attacks, the effects of the trigger are context-dependent
(and maybe time-varying; it doesn't insist on the function being
immutable) in exactly the same way that we've been saying we can't
accept for the tsearch configuration.

I think we should redefine the trigger as taking trigger arguments that
are first a config name, then a list of one or more field names, and
nothing else.

People who want extra processing done on their fields before forming the
tsvector can write custom triggers to do it ...

regards, tom lane

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2007-08-17 01:31:29 Re: GIT patch
Previous Message Tom Lane 2007-08-17 01:09:26 tsearch patch and namespace pollution