| From: | Ron <ronljohnsonjr(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: pg_dump and search_path |
| Date: | 2019-07-09 13:28:57 |
| Message-ID: | 64b7168a-7fb4-ddb0-f7aa-298638fb64af@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 7/9/19 2:22 AM, Laurenz Albe wrote:
> On Mon, 2019-07-08 at 23:54 -0700, Igal @ Lucee.org wrote:
>>> I have a custom search_path:
>>>
>>> # show search_path;
>>> search_path
>>> ----------------------------------
>>> "staging, transient, pg_catalog"
>>> (1 row)
>>>
>>> I ran `pg_dump --schema-only` and the only reference in the output to
>>> search_path is:
>>>
>>> SELECT pg_catalog.set_config('search_path', '', false);
>>>
>>> Then one of my functions which does not reference the full name of a
>>> table with its schema fails with "relation [rel-name] does not exist".
>>>
>>> Is that a bug? I have seen some old posts about this issue but am not
>>> sure if there is a ticket or why it still is an issue.
>>>
>> Looks like this might be by design. I will follow the links at
>> https://www.postgresql.org/message-id/flat/MWHPR14MB160079A6D9DC64A2F60E9004C0D00%40MWHPR14MB1600.namprd14.prod.outlook.com
>> and ask more questions if I have them.
>>
>> I might need to add the schema name to the table in my function.
> Right.
>
> Allowing object lookup along the search_path during pg_restore opens
> doors to abuse, because it can make a superuser inadvertedly execute
> code crafted by an attacker.
Then should search_path be set at the end of pg_restore?
--
Angular momentum makes the world go 'round.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Konstantin Malanchev | 2019-07-09 13:31:39 | Re: PGSQL 11.4: shared_buffers and /dev/shm size |
| Previous Message | Achilleas Mantzios | 2019-07-09 13:28:25 | Re: SuperUser permission denied when creating table. |