| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Andrew Borodin <amborodin86(at)gmail(dot)com> |
| Cc: | Jan Katins <jasc(at)gmx(dot)net>, Jobin Augustine <jobinau(at)gmail(dot)com>, "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Security Definer functions no longer works in PG14+ |
| Date: | 2022-05-06 06:32:38 |
| Message-ID: | CAKFQuwbuYz3wg2a8nyVZB+3aASDZu=sL=MXpBaVAHS_8pZ=HXg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Thursday, May 5, 2022, Andrew Borodin <amborodin86(at)gmail(dot)com> wrote:
> On Thu, May 5, 2022 at 11:32 PM Jan Katins <jasc(at)gmx(dot)net> wrote:
> >
> > The aiven-extras repo has a workaround for that, using dblink:
> https://github.com/aiven/aiven-extras/commit/
> eb8c1107ca91a7da5ecb0c8127c94ce42762881d
>
> > SECURITY DEFINER
> > pg_catalog.format('ALTER SUBSCRIPTION %I REFRESH PUBLICATION WITH
> (copy_data=%s)', arg_subscription_name, arg_copy_data::TEXT)
>
> Doesn't this constitute Bobby-tables SQL injection?
>
>
How do you suppose the caller of the function gets the passed in boolean,
when cast to text, to print anything other than “t” or “f” (null might bork
things but still not unsafe)?
The %I handles the name.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Borodin | 2022-05-06 06:51:40 | Re: Security Definer functions no longer works in PG14+ |
| Previous Message | Andrew Borodin | 2022-05-06 06:21:11 | Re: Security Definer functions no longer works in PG14+ |