Re: BUG #17598: EXTENSION can no longer create it's own schema! (Create Schema IF NOT EXISTS XXX)

Tom,
I understand the reason for the CVE, it was UNCLEAR that ALL "create
schema" requests within extensions could be affected.

So, following your advice, I commented out the "IF NOT EXISTS" part of the
create schema...
I get the following error: (As if the create extension is seeing that I
expect a certain schema, and it is creating it for me)

create extension simple_extension;
ERROR: schema "simple_extension" already exists
STATEMENT: create extension simple_extension;

STRANGE ENOUGH, if I completely comment out the CREATE SCHEMA. This
example works.
So, is it more accurate to say:
1) Define the schema in the .control file
2) Let the CREATE EXTENSION command create the schema [No extra syntax,
just create extension simple_extension]

Or am I still doing something wrong?

Finally, now I see another side-effect. *When I drop the extension, it
does not drop the schema!*
BUT it allows me to recreate the extension (with the schema present)
without errors.

Worse, I can drop the extension. Change the owner on the schema to someone
else. And recreate the extension.

Something seems off... OR I am clearly doing things incorrectly.

Thanks again.

Kirk Out!

On Mon, Aug 29, 2022 at 9:38 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> > Effectively if FEELS like the check for an schema/extension
> > "owning/belonging to" a schema/extension is failing.
> > In this case, the schema DOES NOT EXIST. And the create if not exists
> > FAILS! (Which feels like an edge case.
>
> This is an intentional change to close a security hole: it is unsafe for
> an extension script to use CREATE IF NOT EXISTS this way. (What if
> a hostile attacker created the schema? Now you are depending on a
> schema that the attacker has ownership privileges on.) Drop the
> IF NOT EXISTS clause, if you're expecting the extension to create the
> schema.
>
> regards, tom lane
>