Quick Links

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

From:	Jeff Davis <pgsql(at)j-davis(dot)com>
To:	Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>, Isaac Morland <isaac(dot)morland(at)gmail(dot)com>
Cc:	Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com>, Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Date:	2024-06-06 23:20:16
Message-ID:	b2ed0e935761226eb01aabf04a3f93f8d09308e3.camel@j-davis.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Fri, 2024-06-07 at 00:19 +0200, Jelte Fennema-Nio wrote:
> Even by default making the search_path "pg_catalog, pg_temp" for
> functions created by extensions would be very useful.

Right now there's no syntax to override that. We'd need something to
say "get the search_path from the session".

Regards,
Jeff Davis

In response to

Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions at 2024-06-06 22:19:16 from Jelte Fennema-Nio

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Michael Paquier	2024-06-06 23:20:21	Re: race condition in pg_class
Previous Message	Jelte Fennema-Nio	2024-06-06 22:19:16	Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions