Re: Security Definer functions no longer works in PG14+

From: Andrew Borodin <amborodin86(at)gmail(dot)com>
To: Jan Katins <jasc(at)gmx(dot)net>
Cc: Jobin Augustine <jobinau(at)gmail(dot)com>, pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: Security Definer functions no longer works in PG14+
Date: 2022-05-06 06:21:11
Message-ID: CAAhFRxg4c7Z=mmwKy9PRcmfrN5_t5+nNeZztevATrUa7aaVhuw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Thu, May 5, 2022 at 11:32 PM Jan Katins <jasc(at)gmx(dot)net> wrote:
>
> The aiven-extras repo has a workaround for that, using dblink: https://github.com/aiven/aiven-extras/commit/eb8c1107ca91a7da5ecb0c8127c94ce42762881d

> SECURITY DEFINER
> pg_catalog.format('ALTER SUBSCRIPTION %I REFRESH PUBLICATION WITH (copy_data=%s)', arg_subscription_name, arg_copy_data::TEXT)

Doesn't this constitute Bobby-tables SQL injection?

Best regards, Andrey Borodin.

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message David G. Johnston 2022-05-06 06:32:38 Re: Security Definer functions no longer works in PG14+
Previous Message Jobin Augustine 2022-05-06 05:37:28 Re: Security Definer functions no longer works in PG14+