Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

Hi Robert,

On Tue, Jul 16, 2024 at 9:40 PM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> On Tue, Jul 16, 2024 at 1:55 AM Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> wrote:
> > Just to confirm, are you suggesting to remove the protected flag and
> > set the default search_path (as $extension_schema,) for all functions
> > within an extension where no explicit search_path is set?
>
> No, I'm not saying that. In fact I'm not sure we should have the
> protected flag at all.
>

Based on our previous discussions in this thread - [1], [2], we wanted
to give extension authors the ability to decide if they would like to
go with the current behavior or if they would like to adopt the new
behavior where the default search_path will be enforced for functions
that do not have search_path explicitly set. That is why we considered
introducing this flag.

> > In addition
> > to that, also allow users to explicitly set $extension_schema as the
> > search_path and bypass resolution of $extension_schema for objects
> > outside the extension?
>
> Yes, I'm saying that.
>

Sure, thanks for confirming. I'll make sure to address this in the
next patch version.

[1] - https://www.postgresql.org/message-id/340cd4a0c30b46a185e66b1c7e91535921137da8.camel%40j-davis.com
[2] - https://www.postgresql.org/message-id/CAGECzQSms%2BikWo7E0E1QAVvhM2%2B9FQydEywyCLztPaAYr9s%2BBw%40mail.gmail.com

--
With Regards,
Ashutosh Sharma.