Quick Links

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

From:	Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>
To:	Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com>
Cc:	Jeff Davis <pgsql(at)j-davis(dot)com>, Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date:	2024-06-11 11:31:56
Message-ID:	CAGECzQSms+ikWo7E0E1QAVvhM2+9FQydEywyCLztPaAYr9s+Bw@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Tue, 11 Jun 2024 at 11:54, Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> wrote:
> 1) Extends the CREATE EXTENSION command to support a new option, SET
> SEARCH_PATH.

I don't think it makes sense to add such an option to CREATE EXTENSION.
I feel like such a thing should be part of the extension control file
instead. That way the extension author controls the search path, not
the person that installs the extension.

In response to

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions at 2024-06-11 09:54:30 from Ashutosh Sharma

Responses

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions at 2024-06-11 12:49:56 from Ashutosh Sharma

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Srirama Kucherlapati	2024-06-11 11:38:14	RE: AIX support
Previous Message	Andrew Dunstan	2024-06-11 11:22:18	Re: Windows: openssl & gssapi dislike each other