Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

From: Jeff Davis <pgsql(at)j-davis(dot)com>
To: Alexander Kukushkin <cyberdemn(at)gmail(dot)com>, Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com>
Cc: Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>, Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date: 2024-06-11 21:31:39
Message-ID: 7334cc6cde2ffae35a440159c003c34f7c561790.camel@j-davis.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, 2024-06-11 at 14:56 +0200, Alexander Kukushkin wrote:
> Now attackers can just set search_path for the current session.

IIUC, the proposal is that only the function's "SET" clause can
override the behavior, not a top-level SET command.

Regards,
Jeff Davis

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Jeff Davis 2024-06-11 21:37:11 Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Previous Message Imseih (AWS), Sami 2024-06-11 21:04:29 Re: Track the amount of time waiting due to cost_delay